On 8/28/15 2:09 PM, Robert Schetterer wrote:
Am 28.08.2015 um 20:03 schrieb Forrest:
I've become used to the script kiddies sending out large connection
requests (I do have a threshold set). They are able to get around it by
other connections. For example, I had 857 connects of this:
Aug 28 11:57:35 mail postfix/smtpd[20544]: connect from
unknown[5.232.194.77]
Aug 28 11:57:35 mail postfix/smtpd[20544]: warning: Connection rate
limit exceeded: 56 from unknown[5.232.194.77] for service smtp
Aug 28 11:57:35 mail postfix/smtpd[20544]: disconnect from
unknown[5.232.194.77] ehlo=1 auth=0/1 unknown=0/2 commands=1/4
While it may be time for an external tool like fail2ban, I'm wondering
if there are other measures I can take, that may break things (but I'm
the only one that uses this system), such as changing port numbers of
certain services.
I do block the IP spaces when I see this, which is a no-brainer. But I
wonder how others are mitigating this activity. Pointers, advice
welcomed (and thanks in advance).
_F
if youre the only user, postscreen and fail2ban should be fine
Best Regards
MfG Robert Schetterer
There is potential this server will be used more widely, though.
The default connection rate limiting seems to work; however, the above
mentioned log had a client connecting over 800 times, and I think that
should never happen. I read through postscreen's README page online and
I'm not clear about how postscreen can mitigate this. Do you have some
pointers to pages that show examples of this?
Thanks.
