Tired of the spam flooding this month I aplied several rules to the mail server as
- Chirpy´s Exim dictionary attack ACL
- RBL
- Limiting the recipient numbers per e-mail
- Modsecurity to prevent Bcc injection in php forms.
These things help me a lot in stoping spam and decreasing server load, anyways I would like to go further in this a little bit. After reading forums and netfilter rules i tested this one:
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Assuming that human being will not send email more often than 60s and virus will try to connect far more often than every 60s, the above code do this: the first rule sets iptables to track new connections to port 25 and the second rule drops any new connections over 4 for 60 seconds.
You can even increase the seconds to a higher value.
To tell you the truth, I applied this ruleset to port 22 cause I was victim of Dictionary Attacks to that port, and this help me a lot.
Well, I would like to hear comments about what you think of it and even if you can make some kind of tunning to improve the ruleset.
Thank you
- Chirpy´s Exim dictionary attack ACL
- RBL
- Limiting the recipient numbers per e-mail
- Modsecurity to prevent Bcc injection in php forms.
These things help me a lot in stoping spam and decreasing server load, anyways I would like to go further in this a little bit. After reading forums and netfilter rules i tested this one:
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Assuming that human being will not send email more often than 60s and virus will try to connect far more often than every 60s, the above code do this: the first rule sets iptables to track new connections to port 25 and the second rule drops any new connections over 4 for 60 seconds.
You can even increase the seconds to a higher value.
To tell you the truth, I applied this ruleset to port 22 cause I was victim of Dictionary Attacks to that port, and this help me a lot.
Well, I would like to hear comments about what you think of it and even if you can make some kind of tunning to improve the ruleset.
Thank you
Last edited: