Jorey Bump wrote:
Martijn de Munnik wrote, at 08/22/2009 02:06 PM:
I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx
errors or sends to much spam it is banned in the firewall.
failregex = reject: RCPT from (.*)\[<HOST>\]: 5\d\d
ban time 1h
failregex = Passed SPAM, \[<HOST>\]
ban time 10m
When a host is banned multiple short times it gets banned for 1 day. It
should be easy to get this working with iptables.
While fail2ban is an excellent tool (as is the recent module in
iptables), don't go overboard. For example, keep in mind that SMTP is a
very different animal than SSH or HTTP when determining sane amounts of
time to block a host. It's relatively safe to block repeat offenders
from SSH/HTTP because they usually represent connections from individual
clients (although you might catch a proxy or network behind a NAT). But
legitimate SMTP connections tend to come from a shared resource, such as
an MTA representing thousands of clients. Don't set yourself up for a
DoS by allowing someone to easily block Gmail, AOL, etc. at your site
simply by sending a few spam messages.
Good point. I didn't think of it in this context.
Rod
--
