[OT] Re: kill ip from bootnets and zombi (shell script)

Tue, 19 May 2009 07:28:22 -0700 

Zitat von Andreas Schuldei <andreas+post...@schuldei.org>:


* Julio Cesar Covolato (ju...@psi.com.br) [090514 07:26]:

Hi!

I made a litle shell script to stoping bootnets and zombis, and I want
know what you think about it.

The purpose is drop via iptables  hosts  that  are rejected  several
times in a litle  space of time, reading the log generated by postfix.

Tested in a Linux box.

The script is so poor, but it's functional!  I think that  using perl
will be very better ( Anyone? I'm very bad in perl, sorry!).

Just download, untar, configure (optional), and run it by comand line
for a few minutes, and see the show!!!!!!!

The idea is block via firewall the connections that is garbage. Test it!!

Download pf-ip-killer :

http://psi.com.br/~julio/postfix/pf-ip-killer.tgz


this could be done with the "recent" module for iptables. that
would take care of everything this script does (minus the pruning
after one or two hours). if that could be done, too, all this
could be a static iptables configuration.
Any comments on using the recent iptables module from someone with higher traffic? We use the following to DROP connections from IPs with too high 
connection-rate / time at IP-Level without known trouble :


$IPTABLES -X SMTP-BLOCK
# Wird verwendet wenn ein Host die zulaessige Anzahl an neuen
# Verbindungen / Zeit ueberschreitet
# Die Ueberpruefung findet in der Aufruf-Zeile statt, die SUB-Routine
# setzt den Zaehler, generiert ein LOG-Event und verwirft das Packet
$IPTABLES -N SMTP-BLOCK
$IPTABLES -A SMTP-BLOCK -m limit --limit 1/m --limit-burst 3 -j LOG --log-level notice --log-prefix "iptables SMTP-BLOCK " 
$IPTABLES -A SMTP-BLOCK -m recent --name SMTPBLOCK --set -j DROP
# Ab 05/2007 Rate-Limit auf 15 neue Verbindungen innerhalb von 60 Sekunden
# Ausserdem mit Postfix-Mitteln (anvil) auf 10 gleichzeitige Verbindungen
# beschraenkt.
# Bei mehr als <hitcount> verbindungsanfragen pro 60 sec wird der Client
# in die SMTP-BLOCK Liste eingetragen und erst nach Ablauf der 360 sec.
# ohne weiteren Versuch wieder zugelassen.
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTPBLOCK --rcheck --seconds 360 -j SMTP-BLOCK $IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTP --set $IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTP --rcheck --seconds 60 --hitcount 15 -j SMTP-BLOCK 
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#
As far as i know the only drawback is the limited number of entries ipt_recent can hold at once. 

Regards

Andreas

Reply via email to