On 01. 07. 2010 05:05, LuKreme wrote: > On 30-Jun-2010, at 14:26, Danilo Godec wrote: > > >> Since we were victim of a massive SMTP DOS (still in progress, >> actually), I added these USERDEF_FAILED_ENTRY_REGEX's to stop it: >> >> >>> SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|postfix.*\[\d+\]:) (?P<message>.*) >>> >>> # mail flood >>> USERDEF_FAILED_ENTRY_REGEX=.*warning: Recipient address rate limit >>> exceeded: \d+ from (?P<user>.*)\[(?P<host>.*)\] for service smtp >>> USERDEF_FAILED_ENTRY_REGEX=.*warning: Connection rate limit exceeded: \d+ >>> from (?P<user>.*)\[(?P<host>.*)\] for service smtp >>> USERDEF_FAILED_ENTRY_REGEX=.*NOQUEUE: reject: RCPT from .*\[(?P<host>.*)\]: >>> .*Relay access denied.*to=\<(?P<user>.*)\> .* >>> >> It seems to work nicely - it blocked over 300 SMTP flooding hosts in >> last 10 minutes. >> > Where did you add them, just in the .conf?
Yes, /etc/denyhosts.conf. > I think this would be shorter and replace the first two defs. > > USERDEF_FAILED_ENTRY_REGEX=.*rate limit exceeded: \d+ from > (?P<user>.*)\[(?P<host>.*)\] > It would, but I want to be able to switch one or the other on or off separately. > I've though about doing something like this, but I am unsure about which > banlist rules apply, and my rules for ssh attempts are very harsh (since > pretty much no one should be logging in without a key exchange). > > I think legitimate mail will never arrive to my SMTP with a wrong destination domain. I also think it's safe to expect that well behaved mail servers will never exceed the connection / recipient rate for incoming mail as we don't have that many users here. So I guess being harsh shouldn't hurt. Danilo
<<attachment: danilo_godec.vcf>>
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
