Re: [exim] DOS attack. What to do? (David Saez Padros)

Top Page
Delete this message
Reply to this message
Author: Richard Pitt
Date:  
To: exim-users
Subject: Re: [exim] DOS attack. What to do? (David Saez Padros)
I run a number of machines and have found a little PERL script to be excellent for this sort of thing.

from the log-guardian.pl script:
"This script lets you monitor one or more log files in an endless loop,
I<a la> C<tail -f>. As lines are added to the files, they are compared
to one or more patterns specified as Perl regular expressions. And as
matches are found, the script reacts by running a block of Perl code.
Thus, for example, you could use B<log-guardian> to monitor web logs for
problematic behaviour and add troublesome hosts to a blocklist
dynamically. You could even use it as a port knocking server"

http://www.tifaware.com/perl/log-guardian/

I have it set to monitor rejectlog for both RBL failures and MX-points-to-localhost which is a sure sign that the recipient is not one of yours

3 strikes and they're out - blocked by iptables

I release the iptables list every 4-12 hours depending on how busy the machine is or how fast its cpu is. I've seen 10,000 plus addresses in the block list which on
one of my slower machines pretty much brings it to a stop - that was after about 5 hours of non-stop hammering by the droids.

I accumulate a list of the blocked IP addresses and modified the script to ignore ones in my allow-list just in case.

If people are interested I'll make a couple of versions available - there are subtle differences for older (RH-9 and FC-1) and newer (FC-4/5) operating systems

I also use it to monitor proftpd for failed logins. Been getting lots of them lately too.

richard

-- 
-
Richard C. Pitt                 Pacific Data Capture
rcpitt@???               604-644-9265
http://richard.pacdat.net       www.pacdat.net
PGP Fingerprint: FCEF 167D 151B 64C4 3333  57F0 4F18 AF98 9F59 DD73