I use a script which greps for repeated HANGUPS (and non-SNMP commands, etc) and adds them to a postscreen access file (a separate blacklist file chat can be re-compiled as and when). The black-list entry is retracted after a day or so.
A second script looks for repeated black-list refusals and adds the offender to the firewall drop-list. This entry is removed after a day, AND when the iptable counters have stopped incrementing. It is overkill in my case, but it keeps my hand in at writing scripts :-) Allen C On 09/04/16 15:44, jaso...@mail-central.com wrote: > With postscreen in place, bad bots arr getting fended off. > > Many give up and go away after a couple of tries. > > Some, these days mostly 'ymlf-pc' bots, are more persistent. > > Eg, this one > > Apr 8 04:17:20 mail01 postfix/postscreen[20412]: CONNECT from > [37.49.226.17]:52066 to [192.0.2.17]:25 > Apr 8 04:17:20 mail01 postfix/dnsblog[20417]: addr 37.49.226.17 listed > by domain zen.spamhaus.org as 127.0.0.4 > Apr 8 04:17:21 mail01 postfix/postscreen[20412]: PREGREET 14 after > 0.14 from [37.49.226.17]:52066: EHLO ylmf-pc\r\n > Apr 8 04:17:21 mail01 postfix/postscreen[20412]: DNSBL rank 6 for > [37.49.226.17]:52066 > Apr 8 04:17:21 mail01 postfix/postscreen[20412]: HANGUP after 0.85 > from [37.49.226.17]:52066 in tests after SMTP handshake > Apr 8 04:17:21 mail01 postfix/postscreen[20412]: DISCONNECT > [37.49.226.17]:52066 > Apr 8 04:17:22 mail01 postfix/postscreen[20412]: CONNECT from > [37.49.226.17]:54974 to [192.0.2.17]:25 > Apr 8 04:17:22 mail01 postfix/dnsblog[20415]: addr 37.49.226.17 listed > by domain zen.spamhaus.org as 127.0.0.4 > Apr 8 04:17:22 mail01 postfix/postscreen[20412]: PREGREET 14 after > 0.15 from [37.49.226.17]:54974: EHLO ylmf-pc\r\n > Apr 8 04:17:22 mail01 postfix/postscreen[20412]: DNSBL rank 6 for > [37.49.226.17]:54974 > Apr 8 04:17:23 mail01 postfix/postscreen[20412]: HANGUP after 0.77 > from [37.49.226.17]:54974 in tests after SMTP handshake > Apr 8 04:17:23 mail01 postfix/postscreen[20412]: DISCONNECT > [37.49.226.17]:54974 > Apr 8 04:17:25 mail01 postfix/postscreen[20412]: CONNECT from > [37.49.226.17]:58871 to [192.0.2.17]:25 > ... > > conitinues on for a total of (in this case) 237 attempts in one continuous > string over a few minutes. > > These do not appear as multiple CONCURRENT connection, which I think I can > limit with ' postscreen_client_connection_count_limit'. > > Instead, they look like SEQUENTIAL connections. > > IIUC, this is a pretty efficient disconnection by postscreen, so not a huge > load on the server. > > But, it's still making connections. > > I can rate limit these in fail2ban+firewall (e.g., > http://shorewall.net/ConnectionRate.html), but would prefer to keep this > re-action in Postfix. > > Is there a postscreen_ parameter to rate limit these "bursts"? Maybe dropping > the connection sooner? > > Jason > >
