Re: [OT] HELP!!! mail attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Nataraj wrote:

On Wed, 2008-03-26 at 11:14 -0400, Rodolfo Alcazar Portillo wrote:

Am Mittwoch, den 26.03.2008, 23:59 +0900 schrieb John Summerfield:

I use postfix; I can do this:
[root@xxxxxxxxxxxxx sysconfig]# tail /etc/postfix/header_checks
/^Received.*UNITED.CO.UK/ REJECT No thanks
/^Received.*HAPPYGROUP.CO.UK/ REJECT No thanks
/^Received:.*ceres.concept.net.nz/ REJECT Bloody twits
/^Received:.*dizinc.com/ REJECT No thanks
/CentOS-announce Digest/ REJECT I don't want these
/yourshopineu/ REJECT Bloody spammer

Ok, the problem is that the content is really random... I tried to found
common words:


Postfix has extensive features for dealing with these types of mail
attacks including all kinds of rate limiting for number of connections
from servers, blocking connections from servers with improper dns
entries, calling various hooks to other spam control mechanisms.  If a
server connects and trys to send mail to non-existant users or other
failure, this counts as an error.  You can rate limit the number of
errors allowed from a particular server attempting delivery, then


iptables does rate-limiting too, and (possibly) one can be more selective.

First, rules to accept known good guys.
Second, rules to accept some number/hour from the rest.
Third, rules to log and drop the rest.
Keep a careful eye on the results, you might want to extend the good guys list. 
This drops around 90% of ssh connexions that get to the box:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 5/hour -j LOG --log-prefix "SSH connexion " -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 5/hour -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j LOG --log-prefix "SSH connexion attack dropped " 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
There are prior rules to allow more likely locations, where I might be found. 







--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux