On 1/7/2015 10:09 PM, rogt3...@proinbox.com wrote: > Hi > > What's the correct method in Postfix for preventing this sort of connection > burst (log below)? > > I can sure deal with it AFTER the fact. But I'm looking for the best way to > shut it down asap WHILE it's happening, and then prevent from happening again. > > I found this section > > http://www.postfix.org/TUNING_README.html#conn_limit > > which suggests 'anvil' but it makes a point: "IMPORTANT: These limits must > not be used to regulate legitimate traffic: mail will suffer grotesque delays > if you do so. The limits are designed to protect the smtpd(8) server against > abuse by out-of-control clients." > > That seems to say NOT to tweak the settings to generally prevent this but to > use it after the fact (NOt sure yet how you make it pay attention to specific > IPs). Maybe I'm misunderstanding it. > > Just looking for some experience on setting this sort of protection up, and I > don't want to end up misusing anvil.
Feel free to adjust the anvil settings to something appropriate for your site. The anvil settings you use should be high enough that legit servers never trigger the limit. We can't give you much guidance on what numbers are appropriate for your site. Some people try to use anvil for traffic shaping, or limiting normal/legit traffic. Don't do that. Do review your logs to make sure legit servers aren't being slowed by anvil -- if they are, raise your limits. Looks as if this particular client mostly just connected and then disconnected after a few seconds. This in itself is not particularly harmful, as long as there aren't enough connections to use up all your smtpd processes. Consider enabling the postscreen service to help weed out bots before they can connect to the real smtpd service. http://www.postfix.org/POSTSCREEN_README.html I also notice this client sent the AUTH command a few times, but apparently didn't stay connected long enough to actually try sending credentials. You can use fail2ban or similar to temporarily firewall clients that try to AUTH but fail several times. Be generous in your limits so you don't lock out legit users who have a config problem. -- Noel Jones
