On 2016-04-09 18:51:00 -0400, Wietse Venema wrote:
> jaso...@mail-central.com:
> > conitinues on for a total of (in this case) 237 attempts in one
> > continuous string over a few minutes.
>
> All connections are blocked after 0.1 second, as the client fails
> both the DNSBL and the pregreet tests. At one connection per second,
> this uses very few resources, so I would not worry about this. It's
> certainly not worth complicating postscreen.
Well, I'm not sure what you meant by "very few resources", but I've
noticed that since yesterday, the disk usage of my root partition
increased by 100 MB (instead of something of the order of 1 MB for
the same period), and this came from the /var/log/mail.log file.
For a small personal server, this is a lot of resources. Thanks to
Curtis Villamizar's command (posted in this thread), I could see:
[...]
130 [75.147.78.177]
366 [213.193.32.35]
492 [193.189.117.148]
100543 [108.245.138.130]
So, this was due to a single IP address, which did more than 100,000
connections within 15 hours!
I'm wondering what to do in case of future attacks like this.
I think that a fail2ban filter would be the best solution, but
there doesn't exist any filter for postscreen. I could probably
write one if no-one else has done this, but I'm not sure what
to test exactly. HANGUPs for less than 1 second like in Curtis's
command? Any better idea?
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
