On 2/26/20 9:12 AM, Wietse Venema wrote:
micah anderson:
Matus UHLAR - fantomas <uh...@fantomas.sk> writes:
welcome to the internet. Can be misconfigured client, spamware somewhere,
scan, whatever. Firewalling those automatically is the only way to limit
those messages.
I'm curious what kind of firewalling rules that people have come
up with to limit these. Are you just doing a fail2ban type reaction,
or have some particular state you are denying? I'd be happy to see
some iptables or even pf examples.
Why bother? Storage is cheap, and repeated logging compresses
very well. So it is only a proble, if you keep uncompressed logs
forever.
I firewall things like this to prevent that IP address from mounting
other types
of attacks, including non-SMTP attacks. It's not the storage, it's
protection.
For that reason, any time I automatically firewall an IP for something I
read in the logs,
I just block the IP on all TCP and UDP ports. I don't try to be selective.
However, I do NOT firewall in this particular case. There were three
messages reported:
a connect, a disconnect, and a warning. I don't see sufficient info in
these three messages
to warrant labeling the IP address as malicious.
I'm curious to hear about other's experiences. I know I block a lot of
attacks (100,000+
daily ssh probes) on my small servers, though mostly from detecting
http(s) and
auth anomalies, not SMTP.
John
