Martijn de Munnik wrote, at 08/22/2009 02:06 PM: > I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx > errors or sends to much spam it is banned in the firewall. > > failregex = reject: RCPT from (.*)\[<HOST>\]: 5\d\d > ban time 1h > > failregex = Passed SPAM, \[<HOST>\] > ban time 10m > > When a host is banned multiple short times it gets banned for 1 day. It > should be easy to get this working with iptables.
While fail2ban is an excellent tool (as is the recent module in iptables), don't go overboard. For example, keep in mind that SMTP is a very different animal than SSH or HTTP when determining sane amounts of time to block a host. It's relatively safe to block repeat offenders from SSH/HTTP because they usually represent connections from individual clients (although you might catch a proxy or network behind a NAT). But legitimate SMTP connections tend to come from a shared resource, such as an MTA representing thousands of clients. Don't set yourself up for a DoS by allowing someone to easily block Gmail, AOL, etc. at your site simply by sending a few spam messages.
