Rate-limiting to halt brute-force attack

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dimitri Yioulos <dyioulos@onpointfc.com>
To: netfilter@vger.kernel.org
Subject: Rate-limiting to halt brute-force attack
Date: Fri, 16 Nov 2012 09:22:35 -0500	[thread overview]
Message-ID: <201211160922.36606.dyioulos@onpointfc.com> (raw)

Hi, folks.

 A few days ago, a major brute-force attack was launched 
against our (sendmail) mail server. It looks like a bot is 
aiming lots of zombies at us. Here's how OSSEC hids reports 
an attempt from one of the zombies:

OSSEC HIDS Notification.
2012 Nov 13 09:08:16

Received From: (plymouth) 192.168.1.2->/var/log/messages
Rule: 40111 fired (level 10) -> "Multiple authentication 
failures."
Portion of the log(s):

Nov 13 09:07:44 plymouth ipop3d[29926]: Login failed 
user=hod auth=hod host=201-93-132-240.dsl.telesp.net.br 
[201.93.132.240]
Nov 13 09:07:44 plymouth ipop3d[29925]: Login failed 
user=lee auth=lee host=201-93-132-240.dsl.telesp.net.br 
[201.93.132.240]
~
~

To remediate, I've put fail2ban in place on the mail server, 
and it's working. However, the attacks are still beating at 
the door, and it's significantly increased the load on the 
mail server . I'm now thinking of adding rules to our 
iptables/Netfilter firewall to rate-limit the brute-force 
connections. The rules I'd add are these:

iptables -A INPUT -p tcp --dport 110 -m state --state NEW -m 
recent --set

iptables -A INPUT -p tcp --dport 110 -m state --state NEW -m 
recent --update --seconds 15 --hitcount 3 -j DROP

As the mail server sits in a DMZ, and packets are forwarded 
to it, is the INPUT chain the best place to put these 
rules, or should they go in the FORWARD chain (with 
appropriate modifications)?

Of course, I don't want to stop legitimate mail. Is this the 
best course of action?

Thanks.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

next             reply	other threads:[~2012-11-16 14:22 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-16 14:22 Dimitri Yioulos [this message]
2012-11-16 18:01 ` Rate-limiting to halt brute-force attack /dev/rob0
2012-11-16 18:13   ` Dimitri Yioulos
2012-11-16 19:18     ` /dev/rob0
2012-11-16 18:50 ` Emilio Lazo Zaia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201211160922.36606.dyioulos@onpointfc.com \
    --to=dyioulos@onpointfc.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.