Ok here we go, as you may know ISPconfig 3 has postfix (mail server) connected to mysql to store virtual mail users. Which is fine... But as you may have some domain that is constantly getting spammed/sent mail from lotsa ip's, you may hit max. connection limit in mysql rather quickly, since for each email postfix makes connection to mysql... This makes your server useless, becouse all services depend on mysql (that's where all the data is stored...) So i found a little script, to prevent such mysql bottle necks from stupid spammers and it goes like this:


#!/bin/bash
IPT=/sbin/iptables
LIMIT=8 # change this to the maximum number of rejected attempt your server will authorize

cd /usr/local/sbin/smtp_flood/ # change this to the path where youinstall the script

# first get one minute of log
grep -i "`date +"%b %d %H:%M:" --date="3 minutes ago"`" /var/log/mail.log >> minutelog
# now extract the rejected attempts, sort and count uniq ip
cat minutelog | grep "reject:" | cut -d" " -f10 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
# for each line in result
while read line
do
MYCOUNT=`echo $line | cut -d" " -f1`
MYIP=`echo $line | cut -d" " -f2`

if [ $MYCOUNT -lt $LIMIT ] ;
then
echo $MYIP is ok: $MYCOUNT attempts
else
echo blocking the spammer at $MYIP with $MYCOUNT attempts
$IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
echo $MYIP >> blocked.smtp # log blocked ip to file
fi
done < tmp1
# remove temp files
rm -f minutelog
rm -f tmp1


What this script actually does is block every spammer that connects 8 times in last 3 minutes to your server permanently thru iptables firewall. It keeps log file of banned ip's. You may modify the script for timestamp logging for example, etc... i found this script useful, maybe you'll need it sooner or later too.

Oh ye, i almost forgot... run it in crontab on 3 minute period, or whatever period you have in script...

Ok.... i copyed the content to the specified path from the file to smtp_flood.sh
Ran it... and nothing....did i do something wrong?.... no log is being generated...

Where can i find the log file?

Useful. Thanks.

A question - can you automate the removal of entries from iptables? While it may be useful to block an IP temporarily, you could also inadvertantly block a client that is having a busy day (or has a lot of bad data/email names).

Or...another option...can Fail2Ban do this (does any one know?)

#!/bin/bash
IPT=/sbin/iptables
LIMIT=5 # change this to the maximum number of rejected attempt your server will authorize

cd /usr/local/sbin/smtp_flood/ # change this to the path where youinstall the script

# first get hour of log
tail -n 400 /var/log/maillog | grep -i "`date +"%b %e %H:"`" > minutelog
# now extract the rejected attempts, sort and count uniq ip
cat minutelog | grep "reject:" | cut -d" " -f11 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
# for each line in result
while read line
do
MYCOUNT=`echo $line | cut -d" " -f1`
MYIP=`echo $line | cut -d" " -f2`

if [ $MYCOUNT -lt $LIMIT ] ;
then
echo $MYIP je ok: $MYCOUNT poskusov
else

ALREADY=`cat blocked.smtp | grep $MYIP | wc -l`

if [ $ALREADY -eq "0" ] ;
then
echo blokiramo spemerja $MYIP z $MYCOUNT poskusi
$IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
echo $MYIP >> blocked.smtp
else
echo $MYIP ze blokiran
fi
fi
done < tmp1
# remove temp files
rm -f minutelog
rm -f tmp1


here is fixed version that even checks if ip was already blocked (so you dont get double blocks in firewall), also fixed problems with different syntax of date in maillog file of postfix. I run this one per few minute crontab. It works properly. Try it out and post bugs if you find any.

Best regards,
Alen Krmelj

as you may know... these ip's that are ip firewall blocked are ONLY REAL TIME BLOCKLIST rejected ip's... which means even if you remove them from firewall they still wont be able to send email, becouse RBL from spamhouse or spamcop or wtw RBL you use will still block it. That's the idea. It wont block just any ip... only RBL already rejected spammers that connect many times to mailserver and spamming mysql connections. This means this script is safe to use and cant block normal traffic.

The real advantage of this script is that it blocks mailbomb attacks from many many ip's that are drones in spamnet. No other script i seen on the net can do this that efficiently. I believe fail2ban can be configured that way, but i'm not sure, since i dont use it on my servers. i just needed solution for mailserver not to hog all the damn connections to mysql while under attack.

sounds good, any advice on this from the authors of ispcfg3?

do you see any problems with this?

where do I have put script in?
be possible smtpfloot do not find



thanks

he said: Oh ye, i almost forgot... run it in crontab on 3 minute period, or whatever period you have in script...

that means it doesn't matter where you put it, just call it by cron every X minutes, depending on your preferences.

he said:

that means it doesn't matter where you put it, just call it by cron every X minutes, depending on your preferences.



where is cron job in ispconfig3


how i have to call it in cron please help

where is cron job in ispconfig3


how i have to call it in cron please help

no cronjobs in ispcfg3 but do crontab -e on your console and enter the cronjob after consulting the cron docu

You can set something similar up with fail2ban using the supplied postfix filter assuming you are running fail2ban,

In /etc/fail2ban/jail.conf add something like the following...

[postfix-tcpwrapper]

enabled = true
filter = postfix
action = hostsdeny
sendmail[name=Postfix, dest=you@yourdomain.net]
logpath = /var/log/maillog
maxretry = 3
bantime = 900
findtime = 900


then restart fail2ban


service fail2ban restart


This will block access to all services on your server for 15 minutes to anyone who tries to send mail to 3 unknown recipients within a 15 minute period.
Obviously you can tweak the settings to suit your own preferences.

Don't forget to change the email address for notifications and maybe add known safe IPs to the
ignoreip = 127.0.0.1

value near the top of the file.

I've got a somewhat related problem:

a customer is sending a huge newsletter and even though he is sending it in batches it still clogs down my server. using mytop I can see when he is sending his newsletter that I have between 30-1500 qps :-( and it is always the dbispconfig DB that is accessed...

how do other people handle the sending of huge newsletters?

I am not sure what the problem is, should I increase the max connections? the server is not running our of RAM its just that when the sending is in progress, different random Db queries fail, so I guessed its the max conection settign that I coudl up? the caches are effective, but well, the problem still persists...

I've got a somewhat related problem:

a customer is sending a huge newsletter and even though he is sending it in batches it still clogs down my server. using mytop I can see when he is sending his newsletter that I have between 30-1500 qps :-( and it is always the dbispconfig DB that is accessed...

how do other people handle the sending of huge newsletters?

I am not sure what the problem is, should I increase the max connections? the server is not running our of RAM its just that when the sending is in progress, different random Db queries fail, so I guessed its the max conection settign that I coudl up? the caches are effective, but well, the problem still persists...

Any one still using this on debian ?? Mine somehow stoped working running it by hand i get:

[root@xxxxx postfix-scripts]$ ./postfixblocks_hand.sh
blocking the spammer at from with 244 attempts
iptables v1.4.2: host/network `from' not found
Try `iptables -h' or 'iptables --help' for more information.

It seems the script is getting back a wrong value from the sed scriptlines in the posted scripts. Since im not a expert i cant get it to work and spent more then 5 hours searching for a solutions.

Any suggestions would be more then welcome.

did you try the "fixed" version ? Even if it's in slovene, i can translate it if it works for you.

did you try the "fixed" version ? Even if it's in slovene, i can translate it if it works for you.

Yes i did gives the same output error. Seems like postfix loglines or something have changed which causes the errors but i cant figure out why. Do you have it working still ?