Re: [OT] HELP!!! mail attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nataraj wrote:
On Wed, 2008-03-26 at 11:14 -0400, Rodolfo Alcazar Portillo wrote:
Am Mittwoch, den 26.03.2008, 23:59 +0900 schrieb John Summerfield:
I use postfix; I can do this:
[root@xxxxxxxxxxxxx sysconfig]# tail /etc/postfix/header_checks
/^Received.*UNITED.CO.UK/ REJECT No thanks
/^Received.*HAPPYGROUP.CO.UK/ REJECT No thanks
/^Received:.*ceres.concept.net.nz/ REJECT Bloody twits
/^Received:.*dizinc.com/ REJECT No thanks
/CentOS-announce Digest/ REJECT I don't want these
/yourshopineu/ REJECT Bloody spammer
Ok, the problem is that the content is really random... I tried to found
common words:

Postfix has extensive features for dealing with these types of mail
attacks including all kinds of rate limiting for number of connections
from servers, blocking connections from servers with improper dns
entries, calling various hooks to other spam control mechanisms.  If a
server connects and trys to send mail to non-existant users or other
failure, this counts as an error.  You can rate limit the number of
errors allowed from a particular server attempting delivery, then

iptables does rate-limiting too, and (possibly) one can be more selective.

First, rules to accept known good guys.
Second, rules to accept some number/hour from the rest.
Third, rules to log and drop the rest.

Keep a careful eye on the results, you might want to extend the good guys list.
This drops around 90% of ssh connexions that get to the box:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 5/hour -j LOG --log-prefix "SSH connexion " -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 5/hour -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j LOG --log-prefix "SSH connexion attack dropped "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP

There are prior rules to allow more likely locations, where I might be found.





--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux