HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Tips/Tricks/Mods (http://www.howtoforge.com/forums/forumdisplay.php?f=29)
-   -   ISPconfig 3 - Postfix spammer killer (http://www.howtoforge.com/forums/showthread.php?t=31681)

bl4ckb1rd 24th February 2009 02:11

ISPconfig 3 - Postfix spammer killer
 
Ok here we go, as you may know ISPconfig 3 has postfix (mail server) connected to mysql to store virtual mail users. Which is fine... But as you may have some domain that is constantly getting spammed/sent mail from lotsa ip's, you may hit max. connection limit in mysql rather quickly, since for each email postfix makes connection to mysql... This makes your server useless, becouse all services depend on mysql (that's where all the data is stored...) So i found a little script, to prevent such mysql bottle necks from stupid spammers and it goes like this:

Quote:

#!/bin/bash
IPT=/sbin/iptables
LIMIT=8 # change this to the maximum number of rejected attempt your server will authorize

cd /usr/local/sbin/smtp_flood/ # change this to the path where youinstall the script

# first get one minute of log
grep -i "`date +"%b %d %H:%M:" --date="3 minutes ago"`" /var/log/mail.log >> minutelog
# now extract the rejected attempts, sort and count uniq ip
cat minutelog | grep "reject:" | cut -d" " -f10 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
# for each line in result
while read line
do
MYCOUNT=`echo $line | cut -d" " -f1`
MYIP=`echo $line | cut -d" " -f2`

if [ $MYCOUNT -lt $LIMIT ] ;
then
echo $MYIP is ok: $MYCOUNT attempts
else
echo blocking the spammer at $MYIP with $MYCOUNT attempts
$IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
echo $MYIP >> blocked.smtp # log blocked ip to file
fi
done < tmp1
# remove temp files
rm -f minutelog
rm -f tmp1
What this script actually does is block every spammer that connects 8 times in last 3 minutes to your server permanently thru iptables firewall. It keeps log file of banned ip's. You may modify the script for timestamp logging for example, etc... i found this script useful, maybe you'll need it sooner or later too.

Oh ye, i almost forgot... run it in crontab on 3 minute period, or whatever period you have in script...

robilaur 25th March 2009 08:37

Ok.... i copyed the content to the specified path from the file to smtp_flood.sh
Ran it... and nothing....did i do something wrong?.... no log is being generated...

Where can i find the log file?

Mosquito 14th April 2009 15:33

Useful. Thanks.

A question - can you automate the removal of entries from iptables? While it may be useful to block an IP temporarily, you could also inadvertantly block a client that is having a busy day (or has a lot of bad data/email names).

Or...another option...can Fail2Ban do this (does any one know?)

bl4ckb1rd 14th April 2009 15:57

Fixed version
 
Code:

#!/bin/bash
IPT=/sbin/iptables
LIMIT=5 # change this to the maximum number of rejected attempt your server will authorize

cd /usr/local/sbin/smtp_flood/ # change this to the path where youinstall the script

# first get hour of log
tail -n 400 /var/log/maillog | grep -i "`date +"%b %e %H:"`" > minutelog
# now extract the rejected attempts, sort and count uniq ip
cat minutelog | grep "reject:" | cut -d" " -f11 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
# for each line in result
while read line
do
  MYCOUNT=`echo $line | cut -d" " -f1`
  MYIP=`echo $line | cut -d" " -f2`

  if  [ $MYCOUNT -lt $LIMIT ] ;
  then
    echo $MYIP je ok: $MYCOUNT poskusov
  else

        ALREADY=`cat blocked.smtp | grep $MYIP | wc -l`

        if  [ $ALREADY -eq "0" ] ;
        then
                echo blokiramo spemerja $MYIP z $MYCOUNT poskusi
                $IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
                echo $MYIP >> blocked.smtp
        else
                echo $MYIP ze blokiran
        fi
  fi
done < tmp1
# remove temp files
rm -f minutelog
rm -f tmp1

here is fixed version that even checks if ip was already blocked (so you dont get double blocks in firewall), also fixed problems with different syntax of date in maillog file of postfix. I run this one per few minute crontab. It works properly. Try it out and post bugs if you find any.

Best regards,
Alen Krmelj

bl4ckb1rd 14th April 2009 16:01

as you may know... these ip's that are ip firewall blocked are ONLY REAL TIME BLOCKLIST rejected ip's... which means even if you remove them from firewall they still wont be able to send email, becouse RBL from spamhouse or spamcop or wtw RBL you use will still block it. That's the idea. It wont block just any ip... only RBL already rejected spammers that connect many times to mailserver and spamming mysql connections. This means this script is safe to use and cant block normal traffic.

The real advantage of this script is that it blocks mailbomb attacks from many many ip's that are drones in spamnet. No other script i seen on the net can do this that efficiently. I believe fail2ban can be configured that way, but i'm not sure, since i dont use it on my servers. i just needed solution for mailserver not to hog all the damn connections to mysql while under attack.

Ovidiu 5th May 2009 14:31

sounds good, any advice on this from the authors of ispcfg3?

do you see any problems with this?

nokia80 11th May 2009 13:16

where do I have put script in?
be possible smtpfloot do not find



thanks

Ovidiu 11th May 2009 16:43

he said:
Quote:

Oh ye, i almost forgot... run it in crontab on 3 minute period, or whatever period you have in script...
that means it doesn't matter where you put it, just call it by cron every X minutes, depending on your preferences.

nokia80 11th May 2009 16:48

Quote:

Originally Posted by Tenaka (Post 187739)
he said:

that means it doesn't matter where you put it, just call it by cron every X minutes, depending on your preferences.



where is cron job in ispconfig3


how i have to call it in cron please help

Ovidiu 12th May 2009 08:34

Quote:

Originally Posted by nokia80 (Post 187743)
where is cron job in ispconfig3


how i have to call it in cron please help

no cronjobs in ispcfg3 but do crontab -e on your console and enter the cronjob after consulting the cron docu


All times are GMT +2. The time now is 01:43.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.