[TriLUG] defense against dictionary attacks?

[Jon Carnes]

On Fri, 2004-06-25 at 14:13, Jon Carnes wrote:
> On Fri, 2004-06-25 at 13:56, Jason Tower wrote:
> > lately my mail server (and several others that i administer) have been 
> > getting pummeled by dictionary attacks (trying to send mail to 
> > abe at domain, al at domain, alison at domain, andy at domain, and so on).  
> > naturally, the response to all of these is a "550 unknown user" but it 
> > still wastes bandwidth and fills up the logs and flat out pisses me 
> > off.  these attacks all come from a single IP address (at least for 
> > some peroid of time, then they start up all over again from a different 
> > IP)
> > 
> > i'm wondering if there's a relatively easy way to dynamically add an 
> > iptables rule that blocks port 25 (or better yet all traffic) from an 
> > IP address that generates X 550 errors in Y minutes.  then, after Z 
> > minutes, the rule is removed.  or is there a better way?
> > 
> > jason
> 
> This is a standard rule in OpenBSD (they also have one for DNS type
> attacks too).  I've looked at the OBSD one (written in perl) and its
> fairly easy to craft. You could script this by having a program scan the
> info logs every minute using a grep,cut,sort, uniq and then when the
> value exceeds so many in a minute put the associated IP into a file that
> is used by your IPTables to deny access via port 25. When it updates the
> file it will also need to re-init IPTables.
> 
> I'll bet you have it done in just under an hour!
> 
> Jon

BTW: here is a nice article on greylisting using OpenBSD 3.5... very
nice.
  http://www.elwood.net/greyspamd.html


For your script, this will return the date and time from one minute ago
in the format used by Postfix in it's info log:
  ENTRIES=`date -d"-1 minutes" "+%b %e %H:%M"`

To isolate the IP's for the 550 entries run:
  grep "$ENTRIES" info |grep 550 |cut -f3 -d[ |cut -f1 -d]

You can "sort" that output and use "uniq -c" to find out a number for
each minute.

Have fun!

Jon