Ok here we go, as you may know ISPconfig 3 has postfix (mail server) connected to mysql to store virtual mail users. Which is fine... But as you may have some domain that is constantly getting spammed/sent mail from lotsa ip's, you may hit max. connection limit in mysql rather quickly, since for each email postfix makes connection to mysql... This makes your server useless, becouse all services depend on mysql (that's where all the data is stored...) So i found a little script, to prevent such mysql bottle necks from stupid spammers and it goes like this: What this script actually does is block every spammer that connects 8 times in last 3 minutes to your server permanently thru iptables firewall. It keeps log file of banned ip's. You may modify the script for timestamp logging for example, etc... i found this script useful, maybe you'll need it sooner or later too. Oh ye, i almost forgot... run it in crontab on 3 minute period, or whatever period you have in script...
Ok.... i copyed the content to the specified path from the file to smtp_flood.sh Ran it... and nothing....did i do something wrong?.... no log is being generated... Where can i find the log file?
Useful. Thanks. A question - can you automate the removal of entries from iptables? While it may be useful to block an IP temporarily, you could also inadvertantly block a client that is having a busy day (or has a lot of bad data/email names). Or...another option...can Fail2Ban do this (does any one know?)
Fixed version Code: #!/bin/bash IPT=/sbin/iptables LIMIT=5 # change this to the maximum number of rejected attempt your server will authorize cd /usr/local/sbin/smtp_flood/ # change this to the path where youinstall the script # first get hour of log tail -n 400 /var/log/maillog | grep -i "`date +"%b %e %H:"`" > minutelog # now extract the rejected attempts, sort and count uniq ip cat minutelog | grep "reject:" | cut -d" " -f11 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1 # for each line in result while read line do MYCOUNT=`echo $line | cut -d" " -f1` MYIP=`echo $line | cut -d" " -f2` if [ $MYCOUNT -lt $LIMIT ] ; then echo $MYIP je ok: $MYCOUNT poskusov else ALREADY=`cat blocked.smtp | grep $MYIP | wc -l` if [ $ALREADY -eq "0" ] ; then echo blokiramo spemerja $MYIP z $MYCOUNT poskusi $IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP echo $MYIP >> blocked.smtp else echo $MYIP ze blokiran fi fi done < tmp1 # remove temp files rm -f minutelog rm -f tmp1 here is fixed version that even checks if ip was already blocked (so you dont get double blocks in firewall), also fixed problems with different syntax of date in maillog file of postfix. I run this one per few minute crontab. It works properly. Try it out and post bugs if you find any. Best regards, Alen Krmelj
as you may know... these ip's that are ip firewall blocked are ONLY REAL TIME BLOCKLIST rejected ip's... which means even if you remove them from firewall they still wont be able to send email, becouse RBL from spamhouse or spamcop or wtw RBL you use will still block it. That's the idea. It wont block just any ip... only RBL already rejected spammers that connect many times to mailserver and spamming mysql connections. This means this script is safe to use and cant block normal traffic. The real advantage of this script is that it blocks mailbomb attacks from many many ip's that are drones in spamnet. No other script i seen on the net can do this that efficiently. I believe fail2ban can be configured that way, but i'm not sure, since i dont use it on my servers. i just needed solution for mailserver not to hog all the damn connections to mysql while under attack.
he said: that means it doesn't matter where you put it, just call it by cron every X minutes, depending on your preferences.
no cronjobs in ispcfg3 but do crontab -e on your console and enter the cronjob after consulting the cron docu
You can set something similar up with fail2ban using the supplied postfix filter assuming you are running fail2ban, In /etc/fail2ban/jail.conf add something like the following... Code: [postfix-tcpwrapper] enabled = true filter = postfix action = hostsdeny sendmail[name=Postfix, [email protected]] logpath = /var/log/maillog maxretry = 3 bantime = 900 findtime = 900 then restart fail2ban Code: service fail2ban restart This will block access to all services on your server for 15 minutes to anyone who tries to send mail to 3 unknown recipients within a 15 minute period. Obviously you can tweak the settings to suit your own preferences. Don't forget to change the email address for notifications and maybe add known safe IPs to the Code: ignoreip = 127.0.0.1 value near the top of the file.
I've got a somewhat related problem: a customer is sending a huge newsletter and even though he is sending it in batches it still clogs down my server. using mytop I can see when he is sending his newsletter that I have between 30-1500 qps :-( and it is always the dbispconfig DB that is accessed... how do other people handle the sending of huge newsletters? I am not sure what the problem is, should I increase the max connections? the server is not running our of RAM its just that when the sending is in progress, different random Db queries fail, so I guessed its the max conection settign that I coudl up? the caches are effective, but well, the problem still persists...
I've got a somewhat related problem: a customer is sending a huge newsletter and even though he is sending it in batches it still clogs down my server. using mytop I can see when he is sending his newsletter that I have between 30-1500 qps :-( and it is always the dbispconfig DB that is accessed... how do other people handle the sending of huge newsletters? I am not sure what the problem is, should I increase the max connections? the server is not running our of RAM its just that when the sending is in progress, different random Db queries fail, so I guessed its the max conection settign that I coudl up? the caches are effective, but well, the problem still persists...
Any one still using this on debian ?? Mine somehow stoped working running it by hand i get: [root@xxxxx postfix-scripts]$ ./postfixblocks_hand.sh blocking the spammer at from with 244 attempts iptables v1.4.2: host/network `from' not found Try `iptables -h' or 'iptables --help' for more information. It seems the script is getting back a wrong value from the sed scriptlines in the posted scripts. Since im not a expert i cant get it to work and spent more then 5 hours searching for a solutions. Any suggestions would be more then welcome.
Yes i did gives the same output error. Seems like postfix loglines or something have changed which causes the errors but i cant figure out why. Do you have it working still ?