On Fri, 2004-06-25 at 14:13, Jon Carnes wrote: > On Fri, 2004-06-25 at 13:56, Jason Tower wrote: > > lately my mail server (and several others that i administer) have been > > getting pummeled by dictionary attacks (trying to send mail to > > [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], and so > > on). > > naturally, the response to all of these is a "550 unknown user" but it > > still wastes bandwidth and fills up the logs and flat out pisses me > > off. these attacks all come from a single IP address (at least for > > some peroid of time, then they start up all over again from a different > > IP) > > > > i'm wondering if there's a relatively easy way to dynamically add an > > iptables rule that blocks port 25 (or better yet all traffic) from an > > IP address that generates X 550 errors in Y minutes. then, after Z > > minutes, the rule is removed. or is there a better way? > > > > jason > > This is a standard rule in OpenBSD (they also have one for DNS type > attacks too). I've looked at the OBSD one (written in perl) and its > fairly easy to craft. You could script this by having a program scan the > info logs every minute using a grep,cut,sort, uniq and then when the > value exceeds so many in a minute put the associated IP into a file that > is used by your IPTables to deny access via port 25. When it updates the > file it will also need to re-init IPTables. > > I'll bet you have it done in just under an hour! > > Jon
BTW: here is a nice article on greylisting using OpenBSD 3.5... very nice. http://www.elwood.net/greyspamd.html For your script, this will return the date and time from one minute ago in the format used by Postfix in it's info log: ENTRIES=`date -d"-1 minutes" "+%b %e %H:%M"` To isolate the IP's for the 550 entries run: grep "$ENTRIES" info |grep 550 |cut -f3 -d[ |cut -f1 -d] You can "sort" that output and use "uniq -c" to find out a number for each minute. Have fun! Jon -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
