[TriLUG] defense against dictionary attacks?
Jon Carnes
jonc at nc.rr.com
Fri Jun 25 15:45:35 EDT 2004
On Fri, 2004-06-25 at 13:56, Jason Tower wrote:
> lately my mail server (and several others that i administer) have been
> getting pummeled by dictionary attacks (trying to send mail to
> abe at domain, al at domain, alison at domain, andy at domain, and so on).
> naturally, the response to all of these is a "550 unknown user" but it
> still wastes bandwidth and fills up the logs and flat out pisses me
> off. these attacks all come from a single IP address (at least for
> some peroid of time, then they start up all over again from a different
> IP)
>
> i'm wondering if there's a relatively easy way to dynamically add an
> iptables rule that blocks port 25 (or better yet all traffic) from an
> IP address that generates X 550 errors in Y minutes. then, after Z
> minutes, the rule is removed. or is there a better way?
>
> jason
Here is my concept script for the problem (untested...). You would need
to setup your boot up or re-init of IPTables so that it executed a file
that read in the IP address from the text file "spamdb" and turned off
port 25 from those addresses.
Comments, etc are welcome.
Jon
======
# Parce the Postfix info file every minute looking for 550
# (user uknown - dictionary smtp attacks)
# If the number of 550 rejects from the same IP exceeds some
# threshhold/minute then block that IP from accessing port 25 (SMTP)
# using IPTables
#
# cron entry:
# * * * * * /usr/local/sbin/Postfix_Spam_Deny.sh
# Log file to parce each minute
INFO="/var/log/mail/info
# File of Spammer IP Addresses (used when starting IPTables)
SPAMDB="/root/spamdb"
#
# This will return the date and time from one minute ago
# in the format used by Postfix in it's info log:
ENTRIES=`date -d"-1 minutes" "+%b %e %H:%M"`
# Isolate the IP's for the 550 entries.
# This gives a list of the top abuser, and how many attempts it made.
BADBOY=`grep "$ENTRIES" $INFO |grep 550 |cut -f3 -d[ |cut -f1 -d] \
|sort |uniq -c |sort -nr |head -1`
# This is the number of times in a minute that the top abuser
# attempted to send bad email addresses
BADNUM=`echo $BADBOY |cut -f1 "-d " `
# If that number if greater than 10, lets shut off access to SMTP
# from that IP address.
if (( $BADNUM >= 10 )); then
BADIP=`echo $BADBOY |cut -f2 "-d " `
echo $BADIP >> $SPAMDB
iptables -A INPUT_CHAIN -s $BADIP -p tcp -m tcp --dport 25 \
--tcp-flags SYN,RST,ACK SYN -j REJECT
fi
More information about the TriLUG
mailing list