Re: Flood blocking
On Sat, 2009-06-06 at 17:32 -0600, Ashley M. Kirchner wrote: And even if it's a temporary block, say lasting 5 minutes, that shouldn't adversely affect mailing lists, I don't think. That depends on the list. Some will automatically suspend you for one or two failures. -- [...@localhost ~]$ uname -r 2.6.27.24-78.2.53.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Flood blocking
Tim wrote: On Sat, 2009-06-06 at 17:32 -0600, Ashley M. Kirchner wrote: And even if it's a temporary block, say lasting 5 minutes, that shouldn't adversely affect mailing lists, I don't think. That depends on the list. Some will automatically suspend you for one or two failures. I don't see a problem since the type of block being proposed would not result in an SMTP 5XX permanent error. It would simply result in a requeue of the email on the sending side in much the same way as the server being down on the receiving side or a network error between the servers. -- If there is no wind, row. -- Polish proverb mei-mei.gres...@greshko.com http://tw.youtube.com/watch?v=cCSz_koUhSg signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Flood blocking
Ed Greshko ed.gres...@greshko.com writes: I don't see a problem since the type of block being proposed would not result in an SMTP 5XX permanent error. It would simply result in a requeue of the email on the sending side in much the same way as the server being down on the receiving side or a network error between the servers. I think you have to decide if such a thing is a good idea by asking yourself what would happen if a larger percentage of the recipients did this. And if the mailing list were large, the server would be asked to do quite a bit more work. Normally mail gets delivered and is out of the queue in a matter of seconds. Some user with a losing SMTP server such as this is asking the upstream to do extra work. Some might agree, others might not. -wolfgang -- Wolfgang S. Rupprecht Android 1.5 (Cupcake) and Fedora-11 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Flood blocking
On Sun, Jun 07, 2009 at 07:15:58 -0700, Wolfgang S. Rupprecht wolfgang.rupprecht+gnus200...@gmail.com wrote: I think you have to decide if such a thing is a good idea by asking yourself what would happen if a larger percentage of the recipients did this. And if the mailing list were large, the server would be asked to do quite a bit more work. Normally mail gets delivered and is out of the queue in a matter of seconds. Some user with a losing SMTP server such as this is asking the upstream to do extra work. Some might agree, others might not. What is supposed to happen is that when doing grey list like things, is that you are supposed to white list know good sources so that they don't have to do extra work all of the time. Some grey list systems will automatically white list good ip envelope from pairs so that you don't have to do a lot of manual work to make this happen. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Flood blocking
Tim: That depends on the list. Some will automatically suspend you for one or two failures. Ed Greshko: I don't see a problem since the type of block being proposed would not result in an SMTP 5XX permanent error. It would simply result in a requeue of the email on the sending side in much the same way as the server being down on the receiving side or a network error between the servers. You'd expect that, but it's not how some servers work. One bounce, and you're instantly suspended. Keep doing it, and you'll get blacklisted. Sometimes automatically, sometimes by a list admin who's tired of dealing with MASSES of bounces. -- [...@localhost ~]$ uname -r 2.6.27.24-78.2.53.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Flood blocking
Ashley M. Kirchner wrote: I currently have one system I'm testing the following rules on: iptables -N SSHSCAN iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 2 --name SSH -j DROP And just by watching it for the past few days, those rules seem to work pretty well. So, it made me wonder, can I apply the same rules for FTP and e-mail (with the correct port information of course.) I get *a lot* of failed FTP attempts. Especially when the sun comes up in Asia. And then there's the e-mail spam that also doesn't stop. So, can I take those same set of rules above, replace the port number and name, and have them work for FTP and e-mail as well? Am I overlooking something really obvious? Hi Ashley, I had somebody pounding at a pop server so I applied a similar set of rules, different seconds and hitcount. Eventually the miscreant(s) got bored and went away. I'd have to say yes. hth, :m) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Flood blocking
On Fri, Jun 05, 2009 at 22:29:32 -0600, Ashley M. Kirchner ash...@pcraft.com wrote: I currently have one system I'm testing the following rules on: iptables -N SSHSCAN iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 2 --name SSH -j DROP And just by watching it for the past few days, those rules seem to work pretty well. So, it made me wonder, can I apply the same rules for FTP and e-mail (with the correct port information of course.) I don't think it will work well for email. (I think list servers and other servers that send you a lot of email will tend to get blocked.) Besides, if your purpose is to stop password guessing attacks, there isn't much point in blocking email that way. If you want to try to use it to help mitigate spam, you'd probably be better off using grey listing to do this kind of thing. I get *a lot* of failed FTP attempts. Especially when the sun comes up in Asia. And then there's the e-mail spam that also doesn't stop. So, can I take those same set of rules above, replace the port number and name, and have them work for FTP and e-mail as well? Do you run an authenticated ftp server? If you just use ssh based file transfers and/or anonymous ftp, then there probably isn't much point to doing this. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Flood blocking
On Fri, 2009-06-05 at 22:29 -0600, Ashley M. Kirchner wrote: I currently have one system I'm testing the following rules on: iptables -N SSHSCAN iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 2 --name SSH -j DROP And just by watching it for the past few days, those rules seem to work pretty well. So, it made me wonder, can I apply the same rules for FTP and e-mail (with the correct port information of course.) I get *a lot* of failed FTP attempts. Especially when the sun comes up in Asia. And then there's the e-mail spam that also doesn't stop. So, can I take those same set of rules above, replace the port number and name, and have them work for FTP and e-mail as well? Am I overlooking something really obvious? I downloaded and use fail2ban for email, ftp, ssh and others, it works fairly well and is customizable using your /var/log/secure and /var/log/maillog as well as the ftp log to automatically ban people with iptables. If you do get it, you can ban them in seconds, but if you use -1 it will permanently ban them. Thanks, Kevin -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Flood blocking
Bruno Wolff III wrote: That depends on what mailing lists you are on. Some can send a lot of email. I don't think you are going to find much antispam success trying to block this way. The few lists we're subscribed to, I don't see this happening. Even with Fedora's list, I don't see a lot of hits in a short amount of time. I *think* it'll be fine, but then again I won't know till something get implemented. And even if it's a temporary block, say lasting 5 minutes, that shouldn't adversely affect mailing lists, I don't think. Spammers are going to send stuff to your box from lots of IP addresses. If you try to block these which iptables it could potentially have negative affects on your machines ability to process packets because of the large number of rules. True, however again, keep in mind that these are temporary blocks, not permanent. 5 minutes at the most. Usually that's enough to cause the spammer to go look for another target. If you are running an authenticated ftp server, then it's reasonable to do this. Yup, I do. And right now the machines get affected more by the flood of attacks than the actual iptables blocking. I'd rather remove all the permanent blocks from iptables, and setup a temporary thing. Hit me 3 times in 10 seconds, you're blocked for 5 minutes type of thing. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Flood blocking
I currently have one system I'm testing the following rules on: iptables -N SSHSCAN iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 2 --name SSH -j DROP And just by watching it for the past few days, those rules seem to work pretty well. So, it made me wonder, can I apply the same rules for FTP and e-mail (with the correct port information of course.) I get *a lot* of failed FTP attempts. Especially when the sun comes up in Asia. And then there's the e-mail spam that also doesn't stop. So, can I take those same set of rules above, replace the port number and name, and have them work for FTP and e-mail as well? Am I overlooking something really obvious? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines