[TriLUG] defense against dictionary attacks?

Aaron S. Joyner aaron at joyner.ws
Fri Jun 25 16:14:37 EDT 2004 

Jason Tower wrote:

>lately my mail server (and several others that i administer) have been 
>getting pummeled by dictionary attacks (trying to send mail to 
>abe at domain, al at domain, alison at domain, andy at domain, and so on).  
>naturally, the response to all of these is a "550 unknown user" but it 
>still wastes bandwidth and fills up the logs and flat out pisses me 
>off.  these attacks all come from a single IP address (at least for 
>some peroid of time, then they start up all over again from a different 
>IP)
>
>i'm wondering if there's a relatively easy way to dynamically add an 
>iptables rule that blocks port 25 (or better yet all traffic) from an 
>IP address that generates X 550 errors in Y minutes.  then, after Z 
>minutes, the rule is removed.  or is there a better way?
>
>jason
>  
>
If you're running Postfix, and like living on the bleeding edge, check 
out the anvil(8) server that's still in development.  
http://www.postfix.org/anvil.8.html  It looks like it'll be a nice 
addition when it's stable, although at the moment the docs claim it's a 
bit rough around the edges (and not in the 2.1 stable release).  I'm 
curious to know if anyone's tried it out yet.  :)

In general, we see an awful lot of dictionary attacks here at Intrex, 
and it's not something we process the logs or firewall against to 
block.  Be very careful with setting up automated systems that monkey 
with your firewall rules, it can have very unfortunate results if 
someone decides to exploit the way you have it setup, and even more 
likely, accidents and floods of mail to users who don't exist do happen 
naturally.  Twould be bad to block yahoo or aol because some newbie on 
their service made a few typos or cut-n-pasted his mother's address 
wrong 50 times into his forwarding list (stranger things have happened).

Also, note that processing the logs during a dictionary attack can get 
very processor-intensive, especially if you're not careful in your regex 
writing (I didn't even look closely at Jon's example, this in no way 
should be interpreted as a reflection on his code).  Just be careful 
that you're not doing more work in defense, than you're saving from the 
minimal overhead of "550 user not found in local recipients table".  :)

Either way, I'm curious to hear how it turns out.  :)
Best of luck,
Aaron S. Joyner

More information about the TriLUG mailing list