On Sun, 18 Apr 2021 21:29:26 +1200
Nick Tait <n...@tait.net.nz> wrote:
> On 18/04/21 7:32 pm, li...@lazygranch.com wrote:
> > And so it goes. I suppose if this really bugs me I can block the
> > server in firewalld. I've yet to see it actually deliver mail. Or
> > complain to the data center.
> > https://serveroffer.lt
>
> Firewalling is definitely the best solution to the problem you're
> having, because it will keep your mail logs clear of this sort of
> noise. It can feel a bit like whack-a-mole though, and there are
> tools around that help with this (although I don't personally have
> experience with them), such as fail2ban?
>
> Even if you choose to manage the firewall rules manually, I'd suggest
> you devise some sort of regime where the rules you add aren't
> permanent. E.g. I set a timestamp in the comment when I create the
> rule, and then after 6 months if there is no current activity from
> that IP address I delete the rule again. There are several reasons
> for doing this:
>
> 1. It stops the number of firewall rules growing indefinitely. (Each
> rule has a cost in terms of processing.)
> 2. If the IP address gets reassigned to a legitimate user, you aren't
> penalising them indefinitely for someone else's misbehaviour.
>
> Nick.
>
> P.S. Although it isn't suitable for use on your submission port (465
> / 587), in case you aren't aware of it already, check out postscreen:
> http://www.postfix.org/POSTSCREEN_README.html
>
I need to learn postscreen eventually for other spammers.
The thing with fail2ban or the similar sshguard is I have a huge block
list for the webserver. It has been my experience that these dynamic
blockers that just add a few IPs every few minutes have a huge CPU load
because the OS creates what I assume is a very efficient database of IP
space to block. Creating this database sends my CPU load to 100% and
brings the virtual private server (one CPU) to a halt. Firewalld once
it has this database set up is very efficient regarding CPU. It does
use a fair amount of memory which isn't unexpected given the size of my
IP space I block.
I reviewed the "rich rules" (a firewalld thing) and noted a have a few
IPs on permanent block that I can't remember why so definitely setting
up a reminder scheme is needed.
I find it pretty offensive that Spectrum/Charter has me on 100%
blocking due to the VPS, so I don't take blocking an IP address
lightly. Their customers aren't pleased with the blocking either.
Spectrum/Charter is alone with this brick wall nonsense. The closest
another company comes to this is AT&T where you need to request to be
whitelisted. It takes a week but they do get around to it.
