Re: deflecting attacks

Sat, 22 Aug 2009 23:27:18 -0700 

Roderick A. Anderson said the following on 23/08/2009 1.04:


I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx
errors or sends to much spam it is banned in the firewall.

failregex = reject: RCPT from (.*)\[<HOST>\]: 5\d\d
ban time 1h

failregex = Passed SPAM, \[<HOST>\]
ban time 10m


While fail2ban is an excellent tool (as is the recent module in
iptables), don't go overboard. For example, keep in mind that SMTP is a
very different animal than SSH or HTTP when determining sane amounts of
time to block a host. It's relatively safe to block repeat offenders
from SSH/HTTP because they usually represent connections from individual
clients (although you might catch a proxy or network behind a NAT). But
legitimate SMTP connections tend to come from a shared resource, such as
an MTA representing thousands of clients. Don't set yourself up for a
DoS by allowing someone to easily block Gmail, AOL, etc. at your site
simply by sending a few spam messages.


Good point.  I didn't think of it in this context.
In my personal experience is not like that. DoS and spam flood never come from gmail, AOL, Yahoo! and sites like that. 

The point is to write a good filter, not to filter connections.
I recently have been under SPAM and SMTP DoS attack in one of my servers. Fail2Ban and some Postfix sttings were successful in deflecting such attacks. 

Here the rules I implemented to block attacks and spammers:

failregex = reject: RCPT from (.*)\[<HOST>\]: 450
This rule (checked for 10 or more occurrences) blocks programs hammering the server that has a greylisting protection (policyd in my case). 


failregex = NOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 5\d\d
This rule (checked for 3 occurrences) blocks IPs blocked bi RBL lookups that keep connecting even if they receive a "permanent failure" kind of error.
In my (quite long) experience, there is no silver bullet, nor a rule that can be applied to every SMTP server. I have customers that exchange legitimate mails with Russia and other spam-intensive areas, in that case I have to relax rules on their server. 


My two cents.



Ciao,
luigi

--
/
+--[Luigi Rosa]--
\

Interface: The opposite of 'Get out of my face.'

Reply via email to