lately my mail server (and several others that i administer) have been getting pummeled by dictionary attacks (trying to send mail to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], and so on). naturally, the response to all of these is a "550 unknown user" but it still wastes bandwidth and fills up the logs and flat out pisses me off. these attacks all come from a single IP address (at least for some peroid of time, then they start up all over again from a different IP)
i'm wondering if there's a relatively easy way to dynamically add an iptables rule that blocks port 25 (or better yet all traffic) from an IP address that generates X 550 errors in Y minutes. then, after Z minutes, the rule is removed. or is there a better way? jason -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
