On 6/14/12 11:33 PM, Gustavo Lacoste wrote:
Dear CentOS Community
Is totally clear there's no support sendmail platform today, but I need to stop SMTP brute-force attack on sendmail. My server is attacked today, my maillog look like :
4624@myserver.com>, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1] Jun 14 19:07:01 at6412 sendmail[24627]: q5EN71jC024627: from=<>, size=3958, class=0, nrcpts=1, msgid=201206142307.q5EN710u024623@myserver.com, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1] Jun 14 19:07:23 at6412 sendmail[24868]: q5EN7M6D024868: from=< qmarket@qmarket.cl>, size=2193, class=0, nrcpts=2, msgid=< 20120614231448.1E99A13EE5F@smtp02qmarket.qmarket.cl>, proto=ESMTP, daemon=MTA, relay=[200.1.174.121] Jun 14 19:07:24 at6412 sendmail[24961]: q5EN7OT4024961: from=< nobody@2012.123icq.cl>, size=4716, class=0, nrcpts=1, msgid=< E1SfJ8H-0005kv-JE@2012.123icq.cl>, proto=ESMTP, daemon=MTA, relay= pc1.globalmac.cl [200.29.231.61] (may be forged) Jun 14 19:07:33 at6412 sendmail[25013]: q5EN7SqK025013: from=< a.pfsvtij@yahoo.com>, size=760, class=0, nrcpts=1, msgid=< 1531549-634033-36@owfzdl.net>, proto=SMTP, daemon=MTA, relay= h095159149119.ys.dsl.sakhalin.ru [95.159.149.119] Jun 14 19:07:37 at6412 sendmail[25065]: q5EN7bCj025065: from=< en.viaimport@gmail.com>, size=4531, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=186-105-73-29.baf.movistar.cl [186.105.73.29]
I need help for STOP this spamers right now.
Thanks in advance to anyone who can guide me
With Kind Regards,
Gustavo A. Lacoste Z. CuracautÃn - Chile Skype: knxroot Msn& Gtalk: knx.root [at] gmail.com Home page: http://www.lacosox.org
Hi,
there are few solutions available to do this.
1.) install & configure fail2ban
2.) Using IP Tables: i don't know if it is applicable to you
# Fix in Place to Kick a User For 1 Minutes After Three Errors in The SMTP Session # And Limit The Number of Connections Someone Could Make With a Simple IP Tables Rule
-A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set
i trust this helps, there is another solution but you do not use Postfix.
# How many simultaneous connections any client is allowed to make to this service. smtpd_client_connection_count_limit = 3
# The maximal number of connection attempts any client is allowed to make to this service per time unit. smtpd_client_connection_rate_limit = 10
# The maximal number of message delivery requests that any client is allowed to make to this service per time unit, regardless of whether or # not Postfix actually accepts those messages. smtpd_client_message_rate_limit = 20
# The maximal number of recipient addresses that any client is allowed to send to this service per time unit, regardless of whether or not # Postfix actually accepts those recipients. smtpd_client_recipient_rate_limit = 500
# Clients that are excluded from connection count, connection rate, or SMTP request rate restrictions. smtpd_client_event_limit_exceptions = $mynetworks
Thanks