On Fri, 2004-06-25 at 13:56, Jason Tower wrote: > lately my mail server (and several others that i administer) have been > getting pummeled by dictionary attacks (trying to send mail to > [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], and so > on). > naturally, the response to all of these is a "550 unknown user" but it > still wastes bandwidth and fills up the logs and flat out pisses me > off. these attacks all come from a single IP address (at least for > some peroid of time, then they start up all over again from a different > IP) > > i'm wondering if there's a relatively easy way to dynamically add an > iptables rule that blocks port 25 (or better yet all traffic) from an > IP address that generates X 550 errors in Y minutes. then, after Z > minutes, the rule is removed. or is there a better way? > > jason
This is a standard rule in OpenBSD (they also have one for DNS type attacks too). I've looked at the OBSD one (written in perl) and its fairly easy to craft. You could script this by having a program scan the info logs every minute using a grep,cut,sort, uniq and then when the value exceeds so many in a minute put the associated IP into a file that is used by your IPTables to deny access via port 25. When it updates the file it will also need to re-init IPTables. I'll bet you have it done in just under an hour! Jon -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
