From 7713333d318e99e1af683560fcd3dbd0918380ae Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Wed, 30 May 2012 14:01:25 -0400 Subject: [PATCH] p0f: POD improvements --- plugins/ident/p0f | 50 +++++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 23 deletions(-) diff --git a/plugins/ident/p0f b/plugins/ident/p0f index 2386980..d820cc7 100644 --- a/plugins/ident/p0f +++ b/plugins/ident/p0f @@ -11,9 +11,9 @@ implement more sophisticated anti-spam policies. =head1 DESCRIPTION -This p0f module inserts a 'p0f' note that other qpsmtpd plugins can inspect. -It includes the following information about the TCP fingerprint (link, -detail, distance, uptime, genre). Here's an example connection note: +This p0f module inserts a I connection note with information deduced +from the TCP fingerprint. The note typically includes at least the link, +detail, distance, uptime, genre. Here's a p0f v2 example: genre => FreeBSD detail => 6.x (1) @@ -26,20 +26,29 @@ Which was parsed from this p0f fingerprint: 24.18.227.2:39435 - FreeBSD 6.x (1) (up: 1390 hrs) -> 208.75.177.101:25 (distance 17, link: ethernet/modem) +When using p0f v3, the following additional values may also be available in +the I connection note: + +=over 4 + +magic, status, first_seen, last_seen, total_conn, uptime_min, up_mod_days, last_nat, last_chg, distance, bad_sw, os_match_q, os_name, os_flavor, http_name, http_flavor, link_type, and language. + +=back + =head1 MOTIVATION This p0f plugin provides a way to make sophisticated policies for email messages. For example, the vast majority of email connections to my server -from Windows computers are spam (>99%). But, I have a few clients that use -Exchange servers so I can't just block email from all Windows computers. +from Windows computers are spam (>99%). But, I have clients with +Exchange servers so I can't block email from all Windows computers. -Same goes for greylisting. Finance companies (AmEx, BoA, etc) just love to -send notices that they won't queue and retry. Either they deliver at that -instant or never. When I enable greylisting, I lose valid messages. Grrr. +Same goes for greylisting. Finance companies (AmEx, BoA, etc) send notices +that they don't queue and retry. They deliver immediately or never. Enabling +greylisting means maintaining manual whitelists or losing valid messages. -So, while I'm not willing to use greylisting, and I'm not willing to block -connections from Windows computers, I am quite willing to greylist all email -from Windows computers. +While I'm not willing to use greylisting for every connection, and I'm not +willing to block connections from Windows computers, I am willing to greylist +all email from Windows computers. =head1 CONFIGURATION @@ -47,7 +56,7 @@ Configuration consists of two steps: starting p0f and configuring this plugin. =head2 start p0f -Create a startup script for PF that creates a communication socket when your +Create a startup script for p0f that creates a communication socket when your server starts up. p0f v2 example: @@ -73,10 +82,9 @@ It's even possible to run both versions of p0f simultaneously: =head2 local_ip -Use the local_ip option to override the IP address of your mail server. This -is useful if your mail server has a private IP because it is running behind -a firewall. For example, my mail server has the IP 127.0.0.6, but the world -knows my mail server as 208.75.177.101. +Use I to override the IP address of your mail server. This is useful +if your mail server runs on a private IP behind a firewall. My mail server has +the IP 127.0.0.6, but the world knows my mail server as 208.75.177.101. Example config/plugins entry with local_ip override: @@ -107,15 +115,11 @@ Version 2 code heavily based upon the p0fq.pl included with the p0f distribution =head1 AUTHORS -Robert Spier ( original author ) +2004 - Robert Spier ( original author ) -Matt Simerson +2010 - Matt Simerson - added local_ip option -=head1 CHANGES - -Added local_ip option - Matt Simerson (5/2010) - -Refactored and added p0f v3 support - Matt Simerson (4/2012) +2012 - Matt Simerson - refactored, v3 support =cut