[TriLUG] defense against dictionary attacks?

Jon Carnes jonc at nc.rr.com
Fri Jun 25 15:45:35 EDT 2004


On Fri, 2004-06-25 at 13:56, Jason Tower wrote:
> lately my mail server (and several others that i administer) have been 
> getting pummeled by dictionary attacks (trying to send mail to 
> abe at domain, al at domain, alison at domain, andy at domain, and so on).  
> naturally, the response to all of these is a "550 unknown user" but it 
> still wastes bandwidth and fills up the logs and flat out pisses me 
> off.  these attacks all come from a single IP address (at least for 
> some peroid of time, then they start up all over again from a different 
> IP)
> 
> i'm wondering if there's a relatively easy way to dynamically add an 
> iptables rule that blocks port 25 (or better yet all traffic) from an 
> IP address that generates X 550 errors in Y minutes.  then, after Z 
> minutes, the rule is removed.  or is there a better way?
> 
> jason

Here is my concept script for the problem (untested...). You would need
to setup your boot up or re-init of IPTables so that it executed a file
that read in the IP address from the text file "spamdb" and turned off
port 25 from those addresses.

Comments, etc are welcome.

Jon

======
# Parce the Postfix info file every minute looking for 550
#  (user uknown - dictionary smtp attacks)
# If the number of 550 rejects from the same IP exceeds some
# threshhold/minute then block that IP from accessing port 25 (SMTP)
# using IPTables
#
# cron entry:
#   * * * * *   /usr/local/sbin/Postfix_Spam_Deny.sh
 
# Log file to parce each minute
INFO="/var/log/mail/info
 
# File of Spammer IP Addresses (used when starting IPTables)
SPAMDB="/root/spamdb"
 
#
# This will return the date and time from one minute ago
# in the format used by Postfix in it's info log:
ENTRIES=`date -d"-1 minutes" "+%b %e %H:%M"`
 
# Isolate the IP's for the 550 entries.
# This gives a list of the top abuser, and how many attempts it made.
BADBOY=`grep "$ENTRIES" $INFO |grep 550 |cut -f3 -d[ |cut -f1 -d] \
   |sort |uniq -c |sort -nr |head -1`

# This is the number of times in a minute that the top abuser
# attempted to send bad email addresses 
BADNUM=`echo $BADBOY |cut -f1 "-d " `
 
# If that number if greater than 10, lets shut off access to SMTP
# from that IP address.
if (( $BADNUM >= 10 )); then
   BADIP=`echo $BADBOY |cut -f2 "-d " `
   echo $BADIP >> $SPAMDB
   iptables -A INPUT_CHAIN -s $BADIP -p tcp -m tcp --dport 25 \
         --tcp-flags SYN,RST,ACK SYN -j REJECT
fi





More information about the TriLUG mailing list