Re: dynamically limit ip connections to ports over time?
Alex Teslik wrote: Hi all, I have been running a FreeBSD box for a few years. Over this time spammers and other unfriendlies have found my box and have been attacking at a slowly increasing rate. Every night the daily periodic scripts run and report to me the number of rejected mail hosts. Last week, one of the rejected mail hosts had the number of rejections listed at 3000. My hard drive has been getting louder and louder as it gets busier rejecting and logging all of these and now I would like to do something about it... but I'm not sure what I can do. When the hard drive is at its busiest I see mail being virus and spam scanned at a dizzying rate (tail -f /var/log/maillog), hence the hard drive grinding. What I would LIKE to do is allow any ip to connect to a port for a specified number of times per minute. If they connect too many times than I would like to freeze them out for a specified amount of time. This solution should be dynamic so that I don't need to constantly monitor the offending ip addresses. snipped Here is an idea, try grey listing for denying spam and portsentry to keep the un-friendlies blocked. Both programs are fairly simple to setup and maintain. Greylisting will deny incoming email for a set amount of retries and time, thus you only get mail from real mail servers because spammers don't usually try resending the spam after the initially list has run. Portsentry is designed to detect incoming scans and block deny the IP afterwards. It is kinda like a honey pot but funner ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: dynamically limit ip connections to ports over time?
Alex, You may want to consider using an IDS such as Snort. There is a plugin called SnortSam (www.snortsam.net) which will accomplish what you want to do. Here is text copied from the front page of their website: SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on following firewalls: # Checkpoint Firewall-1 # Cisco PIX firewalls # Cisco Routers (using ACL's or Null-Routes) # Former Netscreen, now Juniper firewalls # IP Filter (ipf), available for various Unix-like OS'es such as FreeBSD # FreeBSD's ipfw2 (in 5.x) # OpenBSD's Packet Filter (pf) # Linux IPchains # Linux IPtables # Linux EBtables # WatchGuard Firebox firewalls # 8signs firewalls for Windows # MS ISA Server firewall/proxy for Windows # CHX packet filter # ...and more to come There are several other programs in the ports collection. But I recommend Snort. Good Luck!!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Teslik Sent: Tuesday, May 03, 2005 10:33 PM To: freebsd-questions@freebsd.org Subject: dynamically limit ip connections to ports over time? Hi all, I have been running a FreeBSD box for a few years. Over this time spammers and other unfriendlies have found my box and have been attacking at a slowly increasing rate. Every night the daily periodic scripts run and report to me the number of rejected mail hosts. Last week, one of the rejected mail hosts had the number of rejections listed at 3000. My hard drive has been getting louder and louder as it gets busier rejecting and logging all of these and now I would like to do something about it... but I'm not sure what I can do. When the hard drive is at its busiest I see mail being virus and spam scanned at a dizzying rate (tail -f /var/log/maillog), hence the hard drive grinding. What I would LIKE to do is allow any ip to connect to a port for a specified number of times per minute. If they connect too many times than I would like to freeze them out for a specified amount of time. This solution should be dynamic so that I don't need to constantly monitor the offending ip addresses. Originally, I thought I would attach a sendmail milter to do this, since mail cannons are my main problem right now. I looked at: http://www.milter.info/milter-limit/index.shtml but it requires manually adding a rule for each ip. Then I considered grey-listing: http://www.milter.info/milter-gris/index.shtml but I don't want to reject messages and cause mail delivery delays on my system. Finally, it occurred to me that the firewall would probably be a better solution and would have the nice side effect of limiting traffic to other ports as well. To try to accomplish this I have been reading a lot of IPFilter rules via google and lists, but I havn't found any that seems that it can do what I describe above - limit by ip over time. I'm sure this is not a unique problem - can someone point me in a helpful direction? Many Thanks P.S.- please cc my email address as I am not subscribed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.0 - Release Date: 4/29/2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
dynamically limit ip connections to ports over time?
Hi all, I have been running a FreeBSD box for a few years. Over this time spammers and other unfriendlies have found my box and have been attacking at a slowly increasing rate. Every night the daily periodic scripts run and report to me the number of rejected mail hosts. Last week, one of the rejected mail hosts had the number of rejections listed at 3000. My hard drive has been getting louder and louder as it gets busier rejecting and logging all of these and now I would like to do something about it... but I'm not sure what I can do. When the hard drive is at its busiest I see mail being virus and spam scanned at a dizzying rate (tail -f /var/log/maillog), hence the hard drive grinding. What I would LIKE to do is allow any ip to connect to a port for a specified number of times per minute. If they connect too many times than I would like to freeze them out for a specified amount of time. This solution should be dynamic so that I don't need to constantly monitor the offending ip addresses. Originally, I thought I would attach a sendmail milter to do this, since mail cannons are my main problem right now. I looked at: http://www.milter.info/milter-limit/index.shtml but it requires manually adding a rule for each ip. Then I considered grey-listing: http://www.milter.info/milter-gris/index.shtml but I don't want to reject messages and cause mail delivery delays on my system. Finally, it occurred to me that the firewall would probably be a better solution and would have the nice side effect of limiting traffic to other ports as well. To try to accomplish this I have been reading a lot of IPFilter rules via google and lists, but I havn't found any that seems that it can do what I describe above - limit by ip over time. I'm sure this is not a unique problem - can someone point me in a helpful direction? Many Thanks P.S.- please cc my email address as I am not subscribed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: dynamically limit ip connections to ports over time?
ipfw has limit src ip option. It's documented in the handbook's firewall section. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alex Teslik Sent: Tuesday, May 03, 2005 10:33 PM To: freebsd-questions@freebsd.org Subject: dynamically limit ip connections to ports over time? Hi all, I have been running a FreeBSD box for a few years. Over this time spammers and other unfriendlies have found my box and have been attacking at a slowly increasing rate. Every night the daily periodic scripts run and report to me the number of rejected mail hosts. Last week, one of the rejected mail hosts had the number of rejections listed at 3000. My hard drive has been getting louder and louder as it gets busier rejecting and logging all of these and now I would like to do something about it... but I'm not sure what I can do. When the hard drive is at its busiest I see mail being virus and spam scanned at a dizzying rate (tail -f /var/log/maillog), hence the hard drive grinding. What I would LIKE to do is allow any ip to connect to a port for a specified number of times per minute. If they connect too many times than I would like to freeze them out for a specified amount of time. This solution should be dynamic so that I don't need to constantly monitor the offending ip addresses. Originally, I thought I would attach a sendmail milter to do this, since mail cannons are my main problem right now. I looked at: http://www.milter.info/milter-limit/index.shtml but it requires manually adding a rule for each ip. Then I considered grey-listing: http://www.milter.info/milter-gris/index.shtml but I don't want to reject messages and cause mail delivery delays on my system. Finally, it occurred to me that the firewall would probably be a better solution and would have the nice side effect of limiting traffic to other ports as well. To try to accomplish this I have been reading a lot of IPFilter rules via google and lists, but I havn't found any that seems that it can do what I describe above - limit by ip over time. I'm sure this is not a unique problem - can someone point me in a helpful direction? Many Thanks P.S.- please cc my email address as I am not subscribed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
