ISPconfig 3 - Postfix spammer killer

Discussion in 'Tips/Tricks/Mods' started by bl4ckb1rd, Feb 24, 2009.

  1. bl4ckb1rd

    bl4ckb1rd New Member

    Ok here we go, as you may know ISPconfig 3 has postfix (mail server) connected to mysql to store virtual mail users. Which is fine... But as you may have some domain that is constantly getting spammed/sent mail from lotsa ip's, you may hit max. connection limit in mysql rather quickly, since for each email postfix makes connection to mysql... This makes your server useless, becouse all services depend on mysql (that's where all the data is stored...) So i found a little script, to prevent such mysql bottle necks from stupid spammers and it goes like this:

    What this script actually does is block every spammer that connects 8 times in last 3 minutes to your server permanently thru iptables firewall. It keeps log file of banned ip's. You may modify the script for timestamp logging for example, etc... i found this script useful, maybe you'll need it sooner or later too.

    Oh ye, i almost forgot... run it in crontab on 3 minute period, or whatever period you have in script...
     
  2. robilaur

    robilaur New Member

    Ok.... i copyed the content to the specified path from the file to smtp_flood.sh
    Ran it... and nothing....did i do something wrong?.... no log is being generated...

    Where can i find the log file?
     
    Last edited: Mar 25, 2009
  3. Mosquito

    Mosquito New Member

    Useful. Thanks.

    A question - can you automate the removal of entries from iptables? While it may be useful to block an IP temporarily, you could also inadvertantly block a client that is having a busy day (or has a lot of bad data/email names).

    Or...another option...can Fail2Ban do this (does any one know?)
     
  4. bl4ckb1rd

    bl4ckb1rd New Member

    Fixed version

    Code:
    #!/bin/bash
    IPT=/sbin/iptables
    LIMIT=5 # change this to the maximum number of rejected attempt your server will authorize
    
    cd /usr/local/sbin/smtp_flood/ # change this to the path where youinstall the script
    
    # first get hour of log
    tail -n 400 /var/log/maillog | grep -i "`date +"%b %e %H:"`" > minutelog
    # now extract the rejected attempts, sort and count uniq ip
    cat minutelog | grep "reject:" | cut -d" " -f11 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
    # for each line in result
    while read line
    do
      MYCOUNT=`echo $line | cut -d" " -f1`
      MYIP=`echo $line | cut -d" " -f2`
    
      if  [ $MYCOUNT -lt $LIMIT ] ;
      then
        echo $MYIP je ok: $MYCOUNT poskusov
      else
    
            ALREADY=`cat blocked.smtp | grep $MYIP | wc -l`
    
            if  [ $ALREADY -eq "0" ] ;
            then
                    echo blokiramo spemerja $MYIP z $MYCOUNT poskusi
                    $IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
                    echo $MYIP >> blocked.smtp
            else
                    echo $MYIP ze blokiran
            fi
      fi
    done < tmp1
    # remove temp files
    rm -f minutelog
    rm -f tmp1
    
    here is fixed version that even checks if ip was already blocked (so you dont get double blocks in firewall), also fixed problems with different syntax of date in maillog file of postfix. I run this one per few minute crontab. It works properly. Try it out and post bugs if you find any.

    Best regards,
    Alen Krmelj
     
    Last edited: Apr 15, 2009
  5. bl4ckb1rd

    bl4ckb1rd New Member

    as you may know... these ip's that are ip firewall blocked are ONLY REAL TIME BLOCKLIST rejected ip's... which means even if you remove them from firewall they still wont be able to send email, becouse RBL from spamhouse or spamcop or wtw RBL you use will still block it. That's the idea. It wont block just any ip... only RBL already rejected spammers that connect many times to mailserver and spamming mysql connections. This means this script is safe to use and cant block normal traffic.

    The real advantage of this script is that it blocks mailbomb attacks from many many ip's that are drones in spamnet. No other script i seen on the net can do this that efficiently. I believe fail2ban can be configured that way, but i'm not sure, since i dont use it on my servers. i just needed solution for mailserver not to hog all the damn connections to mysql while under attack.
     
    Last edited: Apr 14, 2009
  6. Ovidiu

    Ovidiu Active Member

    sounds good, any advice on this from the authors of ispcfg3?

    do you see any problems with this?
     
  7. nokia80

    nokia80 Member HowtoForge Supporter

    where do I have put script in?
    be possible smtpfloot do not find



    thanks
     
  8. Ovidiu

    Ovidiu Active Member

    he said:
    that means it doesn't matter where you put it, just call it by cron every X minutes, depending on your preferences.
     
  9. nokia80

    nokia80 Member HowtoForge Supporter



    where is cron job in ispconfig3


    how i have to call it in cron please help
     
  10. Ovidiu

    Ovidiu Active Member

    no cronjobs in ispcfg3 but do crontab -e on your console and enter the cronjob after consulting the cron docu
     
  11. davew

    davew New Member

    You can set something similar up with fail2ban using the supplied postfix filter assuming you are running fail2ban,

    In /etc/fail2ban/jail.conf add something like the following...
    Code:
    [postfix-tcpwrapper]
    
    enabled  = true
    filter   = postfix
    action   = hostsdeny
               sendmail[name=Postfix, dest=you@yourdomain.net]
    logpath  = /var/log/maillog
    maxretry = 3
    bantime  = 900
    findtime  = 900
    
    then restart fail2ban

    Code:
    service fail2ban restart
    
    This will block access to all services on your server for 15 minutes to anyone who tries to send mail to 3 unknown recipients within a 15 minute period.
    Obviously you can tweak the settings to suit your own preferences.

    Don't forget to change the email address for notifications and maybe add known safe IPs to the
    Code:
    ignoreip = 127.0.0.1 
    value near the top of the file.
     
  12. Ovidiu

    Ovidiu Active Member

    I've got a somewhat related problem:

    a customer is sending a huge newsletter and even though he is sending it in batches it still clogs down my server. using mytop I can see when he is sending his newsletter that I have between 30-1500 qps :-( and it is always the dbispconfig DB that is accessed...

    how do other people handle the sending of huge newsletters?

    I am not sure what the problem is, should I increase the max connections? the server is not running our of RAM its just that when the sending is in progress, different random Db queries fail, so I guessed its the max conection settign that I coudl up? the caches are effective, but well, the problem still persists...
     
  13. Ovidiu

    Ovidiu Active Member

    I've got a somewhat related problem:

    a customer is sending a huge newsletter and even though he is sending it in batches it still clogs down my server. using mytop I can see when he is sending his newsletter that I have between 30-1500 qps :-( and it is always the dbispconfig DB that is accessed...

    how do other people handle the sending of huge newsletters?

    I am not sure what the problem is, should I increase the max connections? the server is not running our of RAM its just that when the sending is in progress, different random Db queries fail, so I guessed its the max conection settign that I coudl up? the caches are effective, but well, the problem still persists...
     
  14. cyrus1977

    cyrus1977 New Member

    Any one still using this on debian ?? Mine somehow stoped working running it by hand i get:

    [root@xxxxx postfix-scripts]$ ./postfixblocks_hand.sh
    blocking the spammer at from with 244 attempts
    iptables v1.4.2: host/network `from' not found
    Try `iptables -h' or 'iptables --help' for more information.

    It seems the script is getting back a wrong value from the sed scriptlines in the posted scripts. Since im not a expert i cant get it to work and spent more then 5 hours searching for a solutions.

    Any suggestions would be more then welcome.
     
  15. bl4ckb1rd

    bl4ckb1rd New Member

    did you try the "fixed" version ? Even if it's in slovene, i can translate it if it works for you.
     
  16. cyrus1977

    cyrus1977 New Member

    Yes i did gives the same output error. Seems like postfix loglines or something have changed which causes the errors but i cant figure out why. Do you have it working still ?
     

Share This Page