[Mimedefang] Somewhat OT: Dictionary attacks
David F. Skoll
dfs at roaringpenguin.com
Wed Jun 9 10:59:47 EDT 2004
Hi,
Are MIMEDefang list denizens seen a huge increase in dictionary attacks?
I know I am.
Below is a shell script I run from cron every 5 minutes to firewall off
hosts doing harvesting. It's Linux-specific, but can easily be
adapted for other systems.
Regards,
David.
#!/bin/sh
#
# $Id: watch-dictionary-attacks,v 1.2 2004/06/09 14:55:08 dfs Exp $
#
# Run this from cron every 5-10 minutes.
#
# Usage: watch-dictionary-attacks /var/log/maillog
#
# Copyright 2004 Roaring Penguin Software Inc.
# This program may be distributed under the terms of the GNU
# General Public License, Version 2.
#
# This script bans hosts which appear to be doing dictionary
# attacks on the server.
#
# Before running this script, make sure you create the harvest_log
# table, like this:
#
# iptables -N harvest_log
# iptables -A harvest_log -j LOG --log-prefix "FW: Harvest Abuser "
# iptables -A harvest_log -j DROP
#
# You also need an INPUT rule like this:
# iptables -A INPUT --proto tcp --dport 25 -j harvest_abusers
# Sample size - How many lines from log file to look at. We look at
# the $SAMPLE most recent lines.
SAMPLE=30000
# Output firewall file
FWFILE=/root/harvest-abusers
# Backup firewall file
mv -f $FWFILE $FWFILE.ORIG > /dev/null 2>&1
cat <<EOF > $FWFILE
#!/bin/sh
/sbin/iptables -F harvest_abusers > /dev/null 2>&1
EOF
cat /dev/null > $FWFILE.NEW
for logfile in $* ; do
# Block offenders
tail -n $SAMPLE $logfile | fgrep 'Possible SMTP RCPT flood, throttling.' | awk '{print $8}' | tr -d ':[]' | sort | uniq | while read host ; do
fgrep $host $FWFILE.ORIG > /dev/null 2>&1 || echo "`date`: Host $host marked as abusive (directory harvest) in $logfile"
echo "/sbin/iptables -A harvest_abusers --source $host -j harvest_log" >> $FWFILE.NEW
echo "" >> $FWFILE.NEW
done
done
cat $FWFILE.NEW >> $FWFILE
. $FWFILE
More information about the MIMEDefang
mailing list