[TriLUG] defense against dictionary attacks?
Jon Carnes
jonc at nc.rr.com
Fri Jun 25 14:13:16 EDT 2004
On Fri, 2004-06-25 at 13:56, Jason Tower wrote:
> lately my mail server (and several others that i administer) have been
> getting pummeled by dictionary attacks (trying to send mail to
> abe at domain, al at domain, alison at domain, andy at domain, and so on).
> naturally, the response to all of these is a "550 unknown user" but it
> still wastes bandwidth and fills up the logs and flat out pisses me
> off. these attacks all come from a single IP address (at least for
> some peroid of time, then they start up all over again from a different
> IP)
>
> i'm wondering if there's a relatively easy way to dynamically add an
> iptables rule that blocks port 25 (or better yet all traffic) from an
> IP address that generates X 550 errors in Y minutes. then, after Z
> minutes, the rule is removed. or is there a better way?
>
> jason
This is a standard rule in OpenBSD (they also have one for DNS type
attacks too). I've looked at the OBSD one (written in perl) and its
fairly easy to craft. You could script this by having a program scan the
info logs every minute using a grep,cut,sort, uniq and then when the
value exceeds so many in a minute put the associated IP into a file that
is used by your IPTables to deny access via port 25. When it updates the
file it will also need to re-init IPTables.
I'll bet you have it done in just under an hour!
Jon
More information about the TriLUG
mailing list