[OT] HELP!!! mail attack
John Summerfield
debian at herakles.homelinux.org
Wed Mar 26 23:02:03 UTC 2008
Nataraj wrote:
> On Wed, 2008-03-26 at 11:14 -0400, Rodolfo Alcazar Portillo wrote:
>> Am Mittwoch, den 26.03.2008, 23:59 +0900 schrieb John Summerfield:
>>> I use postfix; I can do this:
>>> [root at mail.js.id.au sysconfig]# tail /etc/postfix/header_checks
>>> /^Received.*UNITED.CO.UK/ REJECT No thanks
>>> /^Received.*HAPPYGROUP.CO.UK/ REJECT No thanks
>>> /^Received:.*ceres.concept.net.nz/ REJECT Bloody twits
>>> /^Received:.*dizinc.com/ REJECT No thanks
>>> /CentOS-announce Digest/ REJECT I don't want these
>>> /yourshopineu/ REJECT Bloody spammer
>> Ok, the problem is that the content is really random... I tried to found
>> common words:
>
> Postfix has extensive features for dealing with these types of mail
> attacks including all kinds of rate limiting for number of connections
> from servers, blocking connections from servers with improper dns
> entries, calling various hooks to other spam control mechanisms. If a
> server connects and trys to send mail to non-existant users or other
> failure, this counts as an error. You can rate limit the number of
> errors allowed from a particular server attempting delivery, then
iptables does rate-limiting too, and (possibly) one can be more selective.
First, rules to accept known good guys.
Second, rules to accept some number/hour from the rest.
Third, rules to log and drop the rest.
Keep a careful eye on the results, you might want to extend the good
guys list.
This drops around 90% of ssh connexions that get to the box:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit
--limit 5/hour -j LOG --log-prefix "SSH connexion "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit
--limit 5/hour -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j LOG --log-prefix "SSH
connexion attack dropped "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
There are prior rules to allow more likely locations, where I might be
found.
>
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
More information about the fedora-list
mailing list