SMTP Attacks

Harold Hallikainen harold at hallikainen.com
Tue Oct 24 19:53:31 UTC 2006 

> On Tue, Oct 24, 2006 at 11:46:52AM -0700, Harold Hallikainen wrote:
>> I might mess around with another copy of the sshblack script and have it
>> watch the mail logs and block IP addresses that appear to be attacking
>> the
>> server. I already have a copy watching the ssh log and another watching
>> the httpd log.
>>
>> THANKS!
>>
>> Harold
>
> Hi Harold,
>
> How many addresses are you blocking?  I have heard that iptables will
> begin to slow the system down a lot once you exceed 500 blocked
> addresses.
>
> Are you running into any problems with this?
>
> Jeff Kinz
>


There are about 175 blocked IP addresses right now. I block them after
three or four bad login attempts on ssh or trying to access some MS file
that does not exist on this FC4 machine. I leave them blocked for about a
month, then give them another chance.

I have not seen excessive load from this, as far as I can tell. I do now
and then seem to get runaway loads with a bunch of http accesses
simultaneously getting large files. I've minimized this by with robots.txt
telling search engines to not index certain directories and to hold off a
minute between accesses. Even then, the load can get high at times. The 1
minute load average right now is 11.83 and 15 minute is 10.51. Here's some
top output:

 6798 apache    25   0 60776  32m 3160 R 10.0  3.3   9:37.14 httpd
 6812 apache    25   0 60676  35m 5444 R 10.0  3.5   7:27.65 httpd
 6834 apache    25   0 60456  33m 3912 R 10.0  3.3   6:35.63 httpd
 6836 apache    25   0 50340  25m 5620 R 10.0  2.5   1:06.80 httpd
 6837 apache    25   0 60472  34m 5436 R 10.0  3.5   5:44.70 httpd
 6577 apache    25   0 60648  32m 3128 R  9.6  3.3  13:27.84 httpd
 6800 apache    25   0 60692  34m 4672 R  7.0  3.4   8:20.07 httpd
 6576 apache    25   0 60736  32m 3124 R  6.6  3.3  16:31.16 httpd
 6580 apache    25   0 60704  32m 3004 R  6.6  3.3  22:27.48 httpd
 6581 apache    25   0 58928  33m 5672 R  6.6  3.4   0:18.49 httpd
 6647 apache    25   0 60832  34m 4804 R  6.6  3.5  11:08.25 httpd
 6831 apache    25   0 50332  25m 5568 R  6.6  2.5   1:44.65 httpd


To keep the machine from crashing (or not accepting mail, which it does
when the load average is above 12), I have a script that runs every hour
that restarts httpd if the 15 minute average is above 10. This has solved
that problem...

Harold

-- 
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!

More information about the Redhat-install-list mailing list