Hi David, I don't know if this can help you but I use iptables with xrecent module to limit 10 connections per minute on each port on my server:
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP --rsource iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name SMTP --rsource -j DROP iptables -A INPUT -p tcp --dport 110 -m state --state NEW -m recent --set --name POP3 --rsource iptables -A INPUT -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name POP3 --rsource -j DROP iptables -A INPUT -p tcp --dport 995 -m state --state NEW -m recent --set --name POP3S --rsource iptables -A INPUT -p tcp --dport 995 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name POP3S --rsource -j DROP iptables -A INPUT -p tcp --dport 465 -m state --state NEW -m recent --set --name SMTPS --rsource iptables -A INPUT -p tcp --dport 465 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name SMTPS --rsource -j DROP iptables -A INPUT -p tcp --dport 587 -m state --state NEW -m recent --set --name SUBMISSION --rsource iptables -A INPUT -p tcp --dport 587 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name SUBMISSION --rsource -j DROP To check the blocked IPs see /proc/net/xt_recent/ The bad thing is it uses conntrack to work. --- Em 2020-04-18 07:33, David Bray escreveu: > Hi Tony, thanks > But not so much looking for a solution to block ips. > > I'm needing to identify which ips to block > > On Sat, 18 Apr 2020 at 8:19 pm, Tony White <[email protected]> wrote: > >> Or this... >> >> -- snip -- >> #!/bin/bash >> logf="/var/log/blockip.log" >> mdate=`date +%c` >> mip=$1 >> ### must be root ### >> if [ `whoami` != "root" ]; then >> echo "" >> echo "$0 must be run as root" >> echo "" >> exit 1 >> fi; >> >> if [ $mip == "--help" ]; then >> echo "========================================" >> echo "Help: Block single and subnet IP's" >> echo "========================================" >> echo "blockip 130.2.1.1" >> echo "blockip 130.2.1.0/24 [1]" >> echo "----------------------------------------" >> exit 1 >> fi; >> >> mip1=${mip:0:6}; >> # your lan range if needed or comment out >> if [ $mip1 == "192.168.1." ]; then # change ip to suit >> echo "$mdate Discarding LAN drop request for $mip1" >> $logf >> exit 1 >> fi; >> >> # whitelist special clients... >> # change the IP.ADDR.ESS to suit. >> # comment out to remove >> if [ $mip == "IP.ADDR.ESS" ] || [ $mip == "IP.ADDR.ESS" ] || [ $mip == >> "IP.ADDR.ESS" ] || [ $mip == "IP.ADDR.ESS" ] || [ >> $mip == "IP.ADDR.ESS" ] ; then >> echo "$mdate Discarding WAN drop request for $mip" >> $logf >> echo "$mdate Discarding WAN drop request for $mip" >> exit 1 >> fi; >> >> export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin >> is_ip="grep -Ec >> '^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'" >> >> if [ `echo $mip |eval $is_ip` != "1" ]; then >> echo "$mdate Error in IP address $mip" >> $logf >> echo "$mdate Error in IP address $mip" >> else >> iptables -I INPUT -s $mip -j DROP >> echo "iptables -I INPUT -s $mip -j DROP" >> echo "iptables -I INPUT -s $mip -j DROP" >> /etc/rc.d/rc.blockedips >> echo "$mdate now dropping all packets from $mip" >> $logf >> fi; >> -- snip -- >> >> best wishes >> Tony White >> >> On 18/4/20 8:09 pm, Tony White wrote: >> >>> Hi David, >>> Sorry try this instead... >>> >>> -- snip -- >>> #!/bin/sh >>> logf="/var/log/blacklist_ip.log" >>> mdate=`date +%c` >>> ### must be root ### >>> if [ `whoami` != "root" ]; then >>> echo "" >>> echo "$0 must be ran as root" >>> echo "" >>> exit 1 >>> fi >>> export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin >>> is_ip="grep -Ec >>> '^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'" >>> >>> if [ `echo $1 |eval $is_ip` != "1" ]; then >>> echo "$mdate Error in IP address $1" >> $logf >>> else >>> echo "$1" >> /opt/spamdyke/etc/blacklist_ip >>> echo "$mdate now dropping all packets from $1" >> $logf >>> fi >>> --snip -- >>> >>> best wishes >>> Tony White >>> On 18/4/20 8:04 pm, Tony White wrote: >>> >>>> Hi David, >>>> Try using this little script... >>>> >>>> -- snip -- >>>> #!/bin/bash >>>> logf="/var/log/blockip.log" >>>> mdate=`date +%c` >>>> mip=$1 >>>> ### must be root ### >>>> if [ `whoami` != "root" ]; then >>>> echo "" >>>> echo "$0 must be run as root" >>>> echo "" >>>> exit 1 >>>> fi; >>>> >>>> if [ $mip == "--help" ]; then >>>> echo "========================================" >>>> echo "Help: Block single and subnet IP's" >>>> echo "========================================" >>>> echo "blockip 132.2.1.1" >>>> echo "blockip 132.1.0/24" >>>> echo "----------------------------------------" >>>> exit 1 >>>> fi; >>>> >>>> -- snip -- >>>> >>>> worked for me forever... >>>> Use qtp watchall to monitor the logs and use th output to manually block >>>> ips or subnets >>>> >>>> If you need more hit me off list. >>>> >>>> best wishes >>>> Tony White >>>> On 18/4/20 2:59 pm, David Bray wrote: >>>> >>>>> I can see I'm getting hammered on my smtps port >>>>> >>>>> How can I mitigate this? >>>>> >>>>> I can see the IP's in /var/log/qmail/smtps/current >>>>> >>>>> *but where do I actually see that the smtp auth actually fails ?* >>>>> >>>>> or do I need to increase the logging somewhere ? >>>>> >>>>> if I tail -f /var/log/dovecot.log >>>>> >>>>> I can see the imap and pop failures >>>>> >>>>> thanks in advance >>>>> >>>>> David Bray >>>>> 0418 745334 >>>>> 2 ∞ & < >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] > -- > # David Links: ------ [1] http://130.2.1.0/24
