On Thu, 22 Jul 2004, Bopolissimus X Platypus wrote: .. > > is anyone seeing anything like this on their servers? how do i mitigate? > > ok, Victor Duchovni on the postfix mailing list said to set > > smtpd_error_sleep_time to 0s (default is 1s for tar-pitting, but we're up > against what looks like a DDoS, so tar-pitting hurts us more than it > hurts them). > > the system seems to be stabilizing because of this. does anyone have any > more ideas though to handle this? i'm starting to look down on the > program that adds iptables rules. right now we're at 6800 different > IPs, and adding 6800 DROP rules will probably slow us down too much, > and if they keep recruiting attackers, the number of rules can only > increase.
don't use iptables. doesn't work too well. > will putting the IPs in access.db work? i'm not so sure about this since > i don't want to blacklist IPs indefinitely (some might be legitimate don't do this. doesn't work too well. :P just use relay_recipient_maps() and friends. faster than doing getpwnam() or getpwuid() since the passwd map is not hashed. so create a local-user hash from the passwd file. we used to do iptables and blacklist before. iptables rules would reach 40,000 level on each smtp relay (x5). doing access.db rejects doesn't save you much, because the incoming DoS still use smtpd processes. you also want to limit the number of hard errors from a given host so they can't dictionary-attack you with multiple false recipients in a single message. here's what i does: disable_vrfy_command = yes smtpd_banner = $myhostname NO UCE ESMTP smtpd_delay_reject = no # slowing down bad clients [added recommendations from wietse] # we NEED hard_error_limit in order for dictionary-attack stoppage to work smtpd_error_sleep_time = 0s smtpd_soft_error_limit = 5 smtpd_hard_error_limit = 10 smtpd_timeout = 30s also, up your # of smtpd's so your users can still send out. add more RAM if need be. --- Orlando Andico <[EMAIL PROTECTED]> Mosaic Communications, Inc. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
