SMTP Attacks
Harold Hallikainen
harold at hallikainen.com
Tue Oct 24 19:53:31 UTC 2006
> On Tue, Oct 24, 2006 at 11:46:52AM -0700, Harold Hallikainen wrote:
>> I might mess around with another copy of the sshblack script and have it
>> watch the mail logs and block IP addresses that appear to be attacking
>> the
>> server. I already have a copy watching the ssh log and another watching
>> the httpd log.
>>
>> THANKS!
>>
>> Harold
>
> Hi Harold,
>
> How many addresses are you blocking? I have heard that iptables will
> begin to slow the system down a lot once you exceed 500 blocked
> addresses.
>
> Are you running into any problems with this?
>
> Jeff Kinz
>
There are about 175 blocked IP addresses right now. I block them after
three or four bad login attempts on ssh or trying to access some MS file
that does not exist on this FC4 machine. I leave them blocked for about a
month, then give them another chance.
I have not seen excessive load from this, as far as I can tell. I do now
and then seem to get runaway loads with a bunch of http accesses
simultaneously getting large files. I've minimized this by with robots.txt
telling search engines to not index certain directories and to hold off a
minute between accesses. Even then, the load can get high at times. The 1
minute load average right now is 11.83 and 15 minute is 10.51. Here's some
top output:
6798 apache 25 0 60776 32m 3160 R 10.0 3.3 9:37.14 httpd
6812 apache 25 0 60676 35m 5444 R 10.0 3.5 7:27.65 httpd
6834 apache 25 0 60456 33m 3912 R 10.0 3.3 6:35.63 httpd
6836 apache 25 0 50340 25m 5620 R 10.0 2.5 1:06.80 httpd
6837 apache 25 0 60472 34m 5436 R 10.0 3.5 5:44.70 httpd
6577 apache 25 0 60648 32m 3128 R 9.6 3.3 13:27.84 httpd
6800 apache 25 0 60692 34m 4672 R 7.0 3.4 8:20.07 httpd
6576 apache 25 0 60736 32m 3124 R 6.6 3.3 16:31.16 httpd
6580 apache 25 0 60704 32m 3004 R 6.6 3.3 22:27.48 httpd
6581 apache 25 0 58928 33m 5672 R 6.6 3.4 0:18.49 httpd
6647 apache 25 0 60832 34m 4804 R 6.6 3.5 11:08.25 httpd
6831 apache 25 0 50332 25m 5568 R 6.6 2.5 1:44.65 httpd
To keep the machine from crashing (or not accepting mail, which it does
when the load average is above 12), I have a script that runs every hour
that restarts httpd if the 15 minute average is above 10. This has solved
that problem...
Harold
--
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!
More information about the Redhat-install-list
mailing list