Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th February 2009, 02:11
bl4ckb1rd bl4ckb1rd is offline
Member
 
Join Date: Feb 2009
Posts: 36
Thanks: 2
Thanked 6 Times in 4 Posts
Default ISPconfig 3 - Postfix spammer killer

Ok here we go, as you may know ISPconfig 3 has postfix (mail server) connected to mysql to store virtual mail users. Which is fine... But as you may have some domain that is constantly getting spammed/sent mail from lotsa ip's, you may hit max. connection limit in mysql rather quickly, since for each email postfix makes connection to mysql... This makes your server useless, becouse all services depend on mysql (that's where all the data is stored...) So i found a little script, to prevent such mysql bottle necks from stupid spammers and it goes like this:

Quote:
#!/bin/bash
IPT=/sbin/iptables
LIMIT=8 # change this to the maximum number of rejected attempt your server will authorize

cd /usr/local/sbin/smtp_flood/ # change this to the path where youinstall the script

# first get one minute of log
grep -i "`date +"%b %d %H:%M:" --date="3 minutes ago"`" /var/log/mail.log >> minutelog
# now extract the rejected attempts, sort and count uniq ip
cat minutelog | grep "reject:" | cut -d" " -f10 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
# for each line in result
while read line
do
MYCOUNT=`echo $line | cut -d" " -f1`
MYIP=`echo $line | cut -d" " -f2`

if [ $MYCOUNT -lt $LIMIT ] ;
then
echo $MYIP is ok: $MYCOUNT attempts
else
echo blocking the spammer at $MYIP with $MYCOUNT attempts
$IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
echo $MYIP >> blocked.smtp # log blocked ip to file
fi
done < tmp1
# remove temp files
rm -f minutelog
rm -f tmp1
What this script actually does is block every spammer that connects 8 times in last 3 minutes to your server permanently thru iptables firewall. It keeps log file of banned ip's. You may modify the script for timestamp logging for example, etc... i found this script useful, maybe you'll need it sooner or later too.

Oh ye, i almost forgot... run it in crontab on 3 minute period, or whatever period you have in script...
Reply With Quote
The Following 2 Users Say Thank You to bl4ckb1rd For This Useful Post:
DantePasquale (19th March 2009), falko (24th February 2009)
Sponsored Links
  #2  
Old 25th March 2009, 08:37
robilaur robilaur is offline
Member
 
Join Date: Sep 2007
Location: Romania
Posts: 86
Thanks: 4
Thanked 12 Times in 9 Posts
Send a message via Yahoo to robilaur
Default

Ok.... i copyed the content to the specified path from the file to smtp_flood.sh
Ran it... and nothing....did i do something wrong?.... no log is being generated...

Where can i find the log file?

Last edited by robilaur; 25th March 2009 at 12:15.
Reply With Quote
  #3  
Old 14th April 2009, 15:33
Mosquito Mosquito is offline
Member
 
Join Date: Nov 2006
Posts: 85
Thanks: 5
Thanked 6 Times in 5 Posts
Default

Useful. Thanks.

A question - can you automate the removal of entries from iptables? While it may be useful to block an IP temporarily, you could also inadvertantly block a client that is having a busy day (or has a lot of bad data/email names).

Or...another option...can Fail2Ban do this (does any one know?)
Reply With Quote
  #4  
Old 14th April 2009, 15:57
bl4ckb1rd bl4ckb1rd is offline
Member
 
Join Date: Feb 2009
Posts: 36
Thanks: 2
Thanked 6 Times in 4 Posts
Default Fixed version

Code:
#!/bin/bash
IPT=/sbin/iptables
LIMIT=5 # change this to the maximum number of rejected attempt your server will authorize

cd /usr/local/sbin/smtp_flood/ # change this to the path where youinstall the script

# first get hour of log
tail -n 400 /var/log/maillog | grep -i "`date +"%b %e %H:"`" > minutelog
# now extract the rejected attempts, sort and count uniq ip
cat minutelog | grep "reject:" | cut -d" " -f11 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
# for each line in result
while read line
do
  MYCOUNT=`echo $line | cut -d" " -f1`
  MYIP=`echo $line | cut -d" " -f2`

  if  [ $MYCOUNT -lt $LIMIT ] ;
  then
    echo $MYIP je ok: $MYCOUNT poskusov
  else

        ALREADY=`cat blocked.smtp | grep $MYIP | wc -l`

        if  [ $ALREADY -eq "0" ] ;
        then
                echo blokiramo spemerja $MYIP z $MYCOUNT poskusi
                $IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
                echo $MYIP >> blocked.smtp
        else
                echo $MYIP ze blokiran
        fi
  fi
done < tmp1
# remove temp files
rm -f minutelog
rm -f tmp1
here is fixed version that even checks if ip was already blocked (so you dont get double blocks in firewall), also fixed problems with different syntax of date in maillog file of postfix. I run this one per few minute crontab. It works properly. Try it out and post bugs if you find any.

Best regards,
Alen Krmelj

Last edited by bl4ckb1rd; 15th April 2009 at 19:18. Reason: minor fixes
Reply With Quote
  #5  
Old 14th April 2009, 16:01
bl4ckb1rd bl4ckb1rd is offline
Member
 
Join Date: Feb 2009
Posts: 36
Thanks: 2
Thanked 6 Times in 4 Posts
Default

as you may know... these ip's that are ip firewall blocked are ONLY REAL TIME BLOCKLIST rejected ip's... which means even if you remove them from firewall they still wont be able to send email, becouse RBL from spamhouse or spamcop or wtw RBL you use will still block it. That's the idea. It wont block just any ip... only RBL already rejected spammers that connect many times to mailserver and spamming mysql connections. This means this script is safe to use and cant block normal traffic.

The real advantage of this script is that it blocks mailbomb attacks from many many ip's that are drones in spamnet. No other script i seen on the net can do this that efficiently. I believe fail2ban can be configured that way, but i'm not sure, since i dont use it on my servers. i just needed solution for mailserver not to hog all the damn connections to mysql while under attack.

Last edited by bl4ckb1rd; 14th April 2009 at 16:07.
Reply With Quote
  #6  
Old 5th May 2009, 14:31
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

sounds good, any advice on this from the authors of ispcfg3?

do you see any problems with this?
Reply With Quote
  #7  
Old 11th May 2009, 13:16
nokia80 nokia80 is offline
HowtoForge Supporter
 
Join Date: Apr 2009
Posts: 190
Thanks: 30
Thanked 2 Times in 2 Posts
Send a message via Skype™ to nokia80
Default

where do I have put script in?
be possible smtpfloot do not find



thanks
Reply With Quote
  #8  
Old 11th May 2009, 16:43
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

he said:
Quote:
Oh ye, i almost forgot... run it in crontab on 3 minute period, or whatever period you have in script...
that means it doesn't matter where you put it, just call it by cron every X minutes, depending on your preferences.
Reply With Quote
  #9  
Old 11th May 2009, 16:48
nokia80 nokia80 is offline
HowtoForge Supporter
 
Join Date: Apr 2009
Posts: 190
Thanks: 30
Thanked 2 Times in 2 Posts
Send a message via Skype™ to nokia80
Default

Quote:
Originally Posted by Tenaka View Post
he said:

that means it doesn't matter where you put it, just call it by cron every X minutes, depending on your preferences.


where is cron job in ispconfig3


how i have to call it in cron please help
Reply With Quote
  #10  
Old 12th May 2009, 08:34
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
 
Default

Quote:
Originally Posted by nokia80 View Post
where is cron job in ispconfig3


how i have to call it in cron please help
no cronjobs in ispcfg3 but do crontab -e on your console and enter the cronjob after consulting the cron docu
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
i dont recive any mail of any domain chua_jose Installation/Configuration 18 10th November 2008 18:55
ISPConfig Postfix question morganew Installation/Configuration 6 8th April 2008 16:37
ISPconfig after installation cannot reach www.xyz.de:81 Figth4Linux Installation/Configuration 23 6th March 2008 22:38
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36
ISPConfig Postfix ERROR (Relay access denied) burzumishi Installation/Configuration 1 3rd August 2006 09:47


All times are GMT +2. The time now is 14:11.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.