Hi David, I don't know if this can help you but I use iptables with
xrecent module to limit 10 connections per minute on each port on my
server: 

iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set
--name SMTP --rsource
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent
--update --seconds 60 --hitcount 10 --name SMTP --rsource -j DROP
iptables -A INPUT -p tcp --dport 110 -m state --state NEW -m recent
--set --name POP3 --rsource
iptables -A INPUT -p tcp --dport 110 -m state --state NEW -m recent
--update --seconds 60 --hitcount 10 --name POP3 --rsource -j DROP
iptables -A INPUT -p tcp --dport 995 -m state --state NEW -m recent
--set --name POP3S --rsource
iptables -A INPUT -p tcp --dport 995 -m state --state NEW -m recent
--update --seconds 60 --hitcount 10 --name POP3S --rsource -j DROP
iptables -A INPUT -p tcp --dport 465 -m state --state NEW -m recent
--set --name SMTPS --rsource
iptables -A INPUT -p tcp --dport 465 -m state --state NEW -m recent
--update --seconds 60 --hitcount 10 --name SMTPS --rsource -j DROP
iptables -A INPUT -p tcp --dport 587 -m state --state NEW -m recent
--set --name SUBMISSION --rsource
iptables -A INPUT -p tcp --dport 587 -m state --state NEW -m recent
--update --seconds 60 --hitcount 10 --name SUBMISSION --rsource -j DROP 

To check the blocked IPs see /proc/net/xt_recent/ 

The bad thing is it uses conntrack to work.

---

Em 2020-04-18 07:33, David Bray escreveu:

> Hi Tony, thanks 
> But not so much looking for a solution to block ips. 
> 
> I'm needing to identify which ips to block 
> 
> On Sat, 18 Apr 2020 at 8:19 pm, Tony White <t...@ycs.com.au> wrote: 
> 
>> Or this...
>> 
>> -- snip --
>> #!/bin/bash
>> logf="/var/log/blockip.log"
>> mdate=`date +%c`
>> mip=$1
>> ### must be root ###
>> if [ `whoami` != "root" ]; then
>> echo ""
>> echo "$0 must be run as root"
>> echo ""
>> exit 1
>> fi;
>> 
>> if [ $mip == "--help" ]; then
>> echo "========================================"
>> echo "Help: Block single and subnet IP's"
>> echo "========================================"
>> echo "blockip 130.2.1.1"
>> echo "blockip 130.2.1.0/24 [1]"
>> echo "----------------------------------------"
>> exit 1
>> fi;
>> 
>> mip1=${mip:0:6};
>> # your lan range if needed or comment out
>> if [ $mip1 == "192.168.1." ]; then  # change ip to suit
>> echo "$mdate Discarding LAN drop request for $mip1" >> $logf
>> exit 1
>> fi;
>> 
>> # whitelist special clients...
>> # change the IP.ADDR.ESS to suit.
>> # comment out to remove
>> if [ $mip == "IP.ADDR.ESS" ] || [ $mip == "IP.ADDR.ESS" ] || [ $mip == 
>> "IP.ADDR.ESS" ] || [ $mip == "IP.ADDR.ESS" ] || [ 
>> $mip == "IP.ADDR.ESS" ] ; then
>> echo "$mdate Discarding WAN drop request for $mip" >> $logf
>> echo "$mdate Discarding WAN drop request for $mip"
>> exit 1
>> fi;
>> 
>> export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
>> is_ip="grep -Ec 
>> '^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'"
>> 
>> if [ `echo $mip |eval $is_ip` != "1" ]; then
>> echo "$mdate Error in IP address $mip" >> $logf
>> echo "$mdate Error in IP address $mip"
>> else
>> iptables -I INPUT -s $mip -j DROP
>> echo "iptables -I INPUT -s $mip -j DROP"
>> echo "iptables -I INPUT -s $mip -j DROP" >> /etc/rc.d/rc.blockedips
>> echo "$mdate now dropping all packets from $mip" >> $logf
>> fi;
>> -- snip --
>> 
>> best wishes
>> Tony White
>> 
>> On 18/4/20 8:09 pm, Tony White wrote:
>> 
>>> Hi David,
>>> Sorry try this instead...
>>> 
>>> -- snip --
>>> #!/bin/sh
>>> logf="/var/log/blacklist_ip.log"
>>> mdate=`date +%c`
>>> ### must be root ###
>>> if [ `whoami` != "root" ]; then
>>> echo ""
>>> echo "$0 must be ran as root"
>>> echo ""
>>> exit 1
>>> fi
>>> export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
>>> is_ip="grep -Ec 
>>> '^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'"
>>> 
>>> if [ `echo $1 |eval $is_ip` != "1" ]; then
>>> echo "$mdate Error in IP address $1" >> $logf
>>> else
>>> echo "$1" >> /opt/spamdyke/etc/blacklist_ip
>>> echo "$mdate now dropping all packets from $1" >> $logf
>>> fi
>>> --snip --
>>> 
>>> best wishes
>>> Tony White
>>> On 18/4/20 8:04 pm, Tony White wrote:
>>> 
>>>> Hi David,
>>>> Try using this little script...
>>>> 
>>>> -- snip --
>>>> #!/bin/bash
>>>> logf="/var/log/blockip.log"
>>>> mdate=`date +%c`
>>>> mip=$1
>>>> ### must be root ###
>>>> if [ `whoami` != "root" ]; then
>>>> echo ""
>>>> echo "$0 must be run as root"
>>>> echo ""
>>>> exit 1
>>>> fi;
>>>> 
>>>> if [ $mip == "--help" ]; then
>>>> echo "========================================"
>>>> echo "Help: Block single and subnet IP's"
>>>> echo "========================================"
>>>> echo "blockip 132.2.1.1"
>>>> echo "blockip 132.1.0/24"
>>>> echo "----------------------------------------"
>>>> exit 1
>>>> fi;
>>>> 
>>>> -- snip --
>>>> 
>>>> worked for me forever...
>>>> Use qtp watchall to monitor the logs and use th output to manually block 
>>>> ips or subnets
>>>> 
>>>> If you need more hit me off list.
>>>> 
>>>> best wishes
>>>> Tony White
>>>> On 18/4/20 2:59 pm, David Bray wrote:
>>>> 
>>>>> I can see I'm getting hammered on my smtps port
>>>>> 
>>>>> How can I mitigate this?
>>>>> 
>>>>> I can see the IP's in /var/log/qmail/smtps/current
>>>>> 
>>>>> *but where do I actually see that the smtp auth actually fails ?*
>>>>> 
>>>>> or do I need to increase the logging somewhere ?
>>>>> 
>>>>> if I tail -f /var/log/dovecot.log
>>>>> 
>>>>> I can see the imap and pop failures
>>>>> 
>>>>> thanks in advance
>>>>> 
>>>>> David Bray
>>>>> 0418 745334
>>>>> 2 ∞ & <
>>>> 
>>>> 
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>>> 
>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> -- 
> # David
 

Links:
------
[1] http://130.2.1.0/24

Reply via email to