[TriLUG] defense against dictionary attacks?
Jason Tower
jason at cerient.net
Fri Jun 25 13:56:15 EDT 2004
lately my mail server (and several others that i administer) have been
getting pummeled by dictionary attacks (trying to send mail to
abe at domain, al at domain, alison at domain, andy at domain, and so on).
naturally, the response to all of these is a "550 unknown user" but it
still wastes bandwidth and fills up the logs and flat out pisses me
off. these attacks all come from a single IP address (at least for
some peroid of time, then they start up all over again from a different
IP)
i'm wondering if there's a relatively easy way to dynamically add an
iptables rule that blocks port 25 (or better yet all traffic) from an
IP address that generates X 550 errors in Y minutes. then, after Z
minutes, the rule is removed. or is there a better way?
jason
More information about the TriLUG
mailing list