0

Our Postfix mailserver has been getting thousands of automated login attempts from a bot. The mailserver is behind a Netgear FVS338 firewall.

How can I completely block inbound connections from that IP address using the Netgear FVS338 firewall?

I added the following Inbound Service rule but it appeared to have no effect as the Postfix log still kept showing failed login entries. (I have obfuscated the IP address)

enter image description here

enter image description here

These are the entries in /var/log/mail.info that brought it to my attention. (IP address changed to 1.2.3.4 when posting here)

Aug 27 14:33:52 mail pop3d: Maximum connection limit reached for ::ffff:1.2.3.4
Aug 27 14:33:52 mail pop3d: LOGIN FAILED, user=anthony, ip=[::ffff:1.2.3.4]
Aug 27 14:33:52 mail pop3d: LOGIN FAILED, user=antonio, ip=[::ffff:1.2.3.4]
Aug 27 14:33:52 mail pop3d: LOGIN FAILED, user=anon, ip=[::ffff:1.2.3.4]
Aug 27 14:33:52 mail pop3d: LOGIN FAILED, user=andrei, ip=[::ffff:1.2.3.4]
Matthew Lock
  • 125
  • 2
  • 8

1 Answers1

1

It looks like your rule is on the bottom of the list. I believe Netgear uses order of precedence when applying firewall rules.

http://www.downloads.netgear.com/files/FVS338_RM_28Jan2010.pdf - Page 4-8

Try moving it up above "Allow All" if there is one.

If that doesn't fix it, you can use IPsec / IPTables on the server itself as a quick remedy.

Upgrayedd
  • 141
  • 1
  • 1
  • 5
  • Thanks I did end up using this as a temporary workaround. iptables -I INPUT -s 1.2.3.4 -j DROP I will check out the order of precedence thing next time I'm at the site. – Matthew Lock Aug 27 '15 at 23:19
  • http://documentation.netgear.com/dg834n/enu/202-10197-02/Firewall.5.4.html#48121 – Matthew Lock Sep 01 '15 at 03:55