The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I´m testing this IPTABLES ruleset to avoid spamming with success! Let´s discuss it!

Discussion in 'General Discussion' started by bsasninja, Aug 8, 2006.

  1. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    Tired of the spam flooding this month I aplied several rules to the mail server as

    - Chirpy´s Exim dictionary attack ACL
    - RBL
    - Limiting the recipient numbers per e-mail
    - Modsecurity to prevent Bcc injection in php forms.

    These things help me a lot in stoping spam and decreasing server load, anyways I would like to go further in this a little bit. After reading forums and netfilter rules i tested this one:

    iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
    iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP


    Assuming that human being will not send email more often than 60s and virus will try to connect far more often than every 60s, the above code do this: the first rule sets iptables to track new connections to port 25 and the second rule drops any new connections over 4 for 60 seconds.
    You can even increase the seconds to a higher value.

    To tell you the truth, I applied this ruleset to port 22 cause I was victim of Dictionary Attacks to that port, and this help me a lot.

    Well, I would like to hear comments about what you think of it and even if you can make some kind of tunning to improve the ruleset.

    Thank you
     
    #1 bsasninja, Aug 8, 2006
    Last edited: Aug 8, 2006
  2. rikgarner

    rikgarner Well-Known Member

    Joined:
    Mar 31, 2006
    Messages:
    75
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    /dev/null
    I can see a possible problem with this......

    If this is per-host, and your server is receiving a reasonable volume of emails (say you have a dozen or so semi-busy domains), then you could find that these rules start blocking MTA's of popular mail services (messagelabs would be in our blocked list if we implemented this)

    You may find that you need to create quite a few exclusions to this rule, if implemented. Naturally this is scenario-dependant though :)

    Rich
     
  3. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    hi

    Actually this rule blocks the IP if it does more that 4 connections, it drops the connection.
    For example if the source ip of message labs sends more that 4 e-mails at the same time i will drop de connection for a minute.

    You can avoid this by whitelisting the source ip in iptables or you can increase the hitcount even more than 4.

    Im wating Chirpy comment about this.

    Thank you.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    A couple of issues:

    1. Just DROPing the connection isn't a very nice thing to do from a protocol POV. If it's a legitimate connection, for example if anyone is sending to more than 4 people on the server and uses 4 separate connections, it's easily going to trip this and the email will be lost for good.

    2. It's probably better to do this within exim using the smtp command settings and simply limit the number of incoming smtp connections allowed:
    http://www.exim.org/exim-html-4.50/doc/html/spec_14.html#SECT14.17
     
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    What happens when someone from a small office location, all on the same public Internet IP, all decide to check their mail? All the sudden you have 10 office users checking their mail from the same IP and sending out at the same time - so the office IP gets dropped. Do you have any customers like this?

    EDIT: I can see this rule being more useful for SSH since I don't give out access to anyone.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's a good point. There's also disalup clients that send all their email in one go. It is a nice idea, I just think in practical terms it not be of benefit to everyone.
     
Loading...
Similar Threads - I´m testing IPTABLES
  1. akust0m
    Replies:
    3
    Views:
    195

Share This Page