Solved

hosts.deny apparently ineffectual

Posted on 2004-08-19
8
1,298 Views
Last Modified: 2010-05-18
I'm running a RedHat ES mail server (Postfix, Amavis, ClamAV), which has been barraged lately by the Zafi worm.  

Messages arrive from "you@yourname.com" and one of three (so far) IP numbers.  

My hosts.deny file looks like this:

ALL: 66.232.193.238
ALL: 66.232.196.58
ALL: 66.232.192.205
ALL: yourname.com

But these settings appear to have no effect (I restarted xinetd and have infact rebooted since changing settings).

I have an AT&T managed router and have had them deny the first two IP's, but almost immediately messages began to appear from a third.  I'd like to be able to take care of the denial on the server rather than the router (just to avoid needing to bug the AT&T people).

Would appreciate any suggestions.  I've never had to deny a host access before and feel like I'm missing something terribly obvious.  Points are based on some urgency.

Thank you!
0
Comment
Question by:suzdorr
8 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11842709
i.g. if your MTA (postfix) runs as daeomon hosts.deny is not in use
You need to tell postfix from which IPs to accept mail
  smtpd_recipient_restrictions
  smtpd_helo_restrictions
  smtpd_client_restrictions
  smtpd_helo_required

and some more are your friends ..
0
 

Author Comment

by:suzdorr
ID: 11846667
Good information, ahoffman.  Don't think it'll be my solution, unfortunately.

Amavisd gets the mail first and does virus and spam checking before sending it on to post fix.  I'd like the mail rejected from the outset, since the whole process of virus scanning, message bouncing, and administrative notification consumes so much server time and log space.  (I'm getting a Zafi message every few seconds -- so my log is full of this junk.)

I've put the IP number and name in my Amavisd blacklist, but that seems to have no effect.  Now that I know hosts.deny has no effect (thanks!) I'll do some further study of amavisd.conf to see what I might have missed.  If anyone has any thoughts about that, I'd be grateful.

0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 100 total points
ID: 11849860
is amavisd called by the portmapper from inetd? or runs it as daemon?
In the latter case host.deny is not used, except amavisd does it itself, you need to check your docs
0
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 100 total points
ID: 11862708
Generally hosts.deny is not used unless  the program is run from inetd using tcpd  or was linked against
the tcp wrappers library when compiled.

I think your best off installing/enabling Netfilter on the system and using iptables to filter out the connections earlier on
using the firewall configuration, i.e.

iptables -A INPUT -s 66.232.193.238  --dport 25 -j DENY

(and make sure firewall settings are saved in some manner so that the rules will reload at boot)

your other blacklist is still useful in case they get a new ip with the same domain
0
 

Assisted Solution

by:Lego_Maniac
Lego_Maniac earned 100 total points
ID: 11919762
If you don't have iptables installed, you can also do the "poor man's firewall".  
Basically route the IP addresses into a black hole, so that return traffic can't reach the offending IP addresses.
SMTP requires a bidirectional communication, so if your traffic can't get back to them, they effectively can't open the SMTP connection (or any connection)

route add 66.232.193.238 gw 10.255.255.254
(pick any unused IP that's local to your network)

This will cause some ARP-WHO IS traffic, but you can cure that with static arp entries:
arp -s 66.232.193.238 aa:bb:cc:dd:ee:ff
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CentOS 6.6 Port opening question 1 136
Information Security Awareness Resources 2 177
Is using shell_exec safe? 8 91
Centos 6 User Can't Assign Password 2 24
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now