feat: add Postfix slow brute-force and HELO rejection scenarios#1695
Open
Etilem wants to merge 1 commit intocrowdsecurity:masterfrom
Open
feat: add Postfix slow brute-force and HELO rejection scenarios#1695Etilem wants to merge 1 commit intocrowdsecurity:masterfrom
Etilem wants to merge 1 commit intocrowdsecurity:masterfrom
Conversation
Add slow brute-force detection scenarios for Postfix SMTP authentication and evasive HELO rejection attacks: - melite/postfix-slow-bf (leakspeed 900s, capacity 7) - melite/postfix-very-slow-bf (leakspeed 4h, capacity 5) - melite/postfix-submission-very-slow-bf (leakspeed 4h, capacity 5) - melite/postfix-helo-very-slow (leakspeed 4h, capacity 5) Includes parser melite/postfix-submission-auth (s01-parse) for port 587 auth failures invisible to standard parsers, and hub tests.
Etilem
force-pushed
the
feat/postfix-slow-bf
branch
from
8dabf51 to
11bd514
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add slow brute-force detection scenarios for Postfix SMTP authentication (port 25 and port 587) and evasive HELO rejection attacks. Includes a custom parser for submission port (587) auth failures that are invisible to standard parsers.
Developed and tested on a production mail server handling 17 domains, where these scenarios detected persistent evasive attacks that standard Postfix scenarios missed entirely.
Problem
Standard CrowdSec Postfix detection has two major gaps:
Slow SASL brute-force on port 25:
crowdsecurity/postfix-bfhas a short detection window. Attackers spacing attempts 15+ minutes apart evade it completely.Port 587 (submission) auth failures are invisible: When using STARTTLS on port 587, Postfix does NOT log explicit "SASL authentication failed" messages. Auth failures only appear as
auth=0/Nin disconnect summary lines — no standard parser extracts this information.Slow HELO rejection attacks:
crowdsecurity/postfix-helo-rejectedhas a ~10 minute window. Evasive spammers sending invalid HELO commands ~70 minutes apart go undetected.Scenarios
melite/postfix-slow-bfmelite/postfix-very-slow-bfmelite/postfix-submission-very-slow-bfmelite/postfix-helo-very-slowThe first two scenarios include
_user-enumvariants (usingdistinctonsasl_username).Parser
melite/postfix-submission-auth(s02-enrich): Extractsauth=0/Npattern from Postfix disconnect lines. Runs in s02-enrich (aftercrowdsecurity/postfix-logsparses the line in s01). Tags matching lines withlog_type_enh: submission-auth-failed.Example log that was previously invisible:
Testing
Dependencies
crowdsecurity/syslog-logscrowdsecurity/postfix-logscrowdsecurity/dateparse-enrich