Am 2007-09-28 07:06:14, schrieb Sam Varshavchik:
There is no rate metering of this kind possible, but what exactly is the
negative impact from this? This is an average of three and a half probes
per second, which, if you weren't looking at the logs, you would've never
noticed.
In
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michelle Konzack wrote:
In theorie... -- but they hit me periodicaly with over 200 per second.
You're seeing 200 hits a second! From the same ip addresses or
different ones all the time?
Since no single ip address should be hitting your server
Michelle Konzack writes:
Since arround one week I have very heavy Dictionary attacs (over 30
per day from more then 7000 different IP's) on my courier-mta which
servs for 17.000 users in the french gov.
On the exim-user list they used the following to stop it.
But how can I do this with
Michelle Konzack wrote:
Today morning I was hit at ~08:00 CET arround 17 minutes from
86 different IP's and each IP had 30-80 hits per second.
Now imagine the server support 17000 users and the switch
on there computers between 08:00 and 09:00...
iptables dos unfortunatly not work for
Since arround one week I have very heavy Dictionary attacs (over 30
per day from more then 7000 different IP's) on my courier-mta which
servs for 17.000 users in the french gov.
On the exim-user list they used the following to stop it.
But how can I do this with courier-mta?
I like to
Am 2007-09-28 22:10:01, schrieb Jeff Jansen:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michelle Konzack wrote:
In theorie... -- but they hit me periodicaly with over 200 per second.
You're seeing 200 hits a second! From the same ip addresses or
different ones all the time?
Today
For the paranoid (like myself), there's always fail2ban
( http://www.fail2ban.org/ ). It worked perfectly for me in stopping
bruteforce attacks on my ssh port.
Basically it monitors a log and bans (with iptables, for example) IPs
for a period of time after a certain number of authentication
I'd follow Jeff's advise - rate limiting via IP tables, but I'd add -i
external interface to each of those lines.
I am assuming that your email server has multiple network connections
and the attacks are coming from the external interface, not the internal
one.
That way, you don't have ANY