stopping an address from connecting to us

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

stopping an address from connecting to us

audit-3
My server's been getting slammed all night with requests from
adsl-99-162-37-137.dsl.ipltin.sbcglobal.net[99.162.37.137] and I've been
trying to figure out to stop it.

I've put the IP address in mx_access with REJECT and ran
/usr/local/etc/rc.d/postfix reload and it's still getting slammed.
Does anyone have any idea's? I've got a botnet that's been going crazy
on the server also, we're not running any open proxy's and it's locked
down nice and tight.


Here's the output of my postconf -n

alias_database = hash:/usr/local/etc/postfix/aliases
alias_maps = hash:/usr/local/etc/postfix/aliases,
hash:/usr/local/mailman/data/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
in_flow_delay = 3s
inet_interfaces = all
local_destination_concurrency_limit = 1
mail_owner = postfix
mailbox_command = /usr/local/bin/procmail -Y -a $DOMAIN
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 22528000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
mydomain = dontowrryaboutit.org
myhostname = flatlined.dontowrryaboutit.org
mynetworks = 127.0.0.0/8, 10.2.1.0/24
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks, check_client_access
hash:/usr/local/etc/postfix/junk, reject_rbl_client zen.spamhaus.org,
reject_rbl_client virbl.dnsbl.bit.nl, reject_multi_recipient_bounce,
reject_unauth_pipelining, reject_unknown_reverse_client_hostname
check_client_access regexp:/usr/local/etc/postfix/spam_ip_regex
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining,
permit
smtpd_sender_restrictions = check_sender_mx_access
cidr:/usr/local/etc/postfix/mx_access
strict_rfc821_envelopes = yes
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_mailbox_base = /var/mail
virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains


Reply | Threaded
Open this post in threaded view
|

Re: stopping an address from connecting to us

Brian Evans - Postfix List
audit wrote:
> My server's been getting slammed all night with requests from
> adsl-99-162-37-137.dsl.ipltin.sbcglobal.net[99.162.37.137] and I've
> been trying to figure out to stop it.
>
> I've put the IP address in mx_access with REJECT and ran
> /usr/local/etc/rc.d/postfix reload and it's still getting slammed.
> Does anyone have any idea's? I've got a botnet that's been going crazy
> on the server also, we're not running any open proxy's and it's locked
> down nice and tight.

Best way: use iptables or equivalent (with TCP reset) to block the
connection. This will take the least amount of resources and make your
system a lot happier.

The Postfix way follows, but is still load on your server.
check_sender_mx_access probably isn't the best place for that IP.  This
checks the domain in the MAIL FROM vs your database and not the IP of
the connection.  You were probably seeking check_client_access.
> Here's the output of my postconf -n
>
[...]
> smtpd_client_restrictions = permit_mynetworks, check_client_access
> hash:/usr/local/etc/postfix/junk, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client virbl.dnsbl.bit.nl, reject_multi_recipient_bounce,
> reject_unauth_pipelining, reject_unknown_reverse_client_hostname
> check_client_access regexp:/usr/local/etc/postfix/spam_ip_regex
> smtpd_data_restrictions = reject_unauth_pipelining, permit

No permit_mynetworks first?  This is your choice, but the later config
suggests you wanted to.

> smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining,
> permit

Remove this and modify smtpd_data_restrictions above.  No real point in
keeping it here.

> smtpd_sender_restrictions = check_sender_mx_access
> cidr:/usr/local/etc/postfix/mx_access

See comments above

Brian

Reply | Threaded
Open this post in threaded view
|

Re: stopping an address from connecting to us

Wietse Venema
In reply to this post by audit-3
audit:
> My server's been getting slammed all night with requests from
> adsl-99-162-37-137.dsl.ipltin.sbcglobal.net[99.162.37.137] and I've been
> trying to figure out to stop it.

That's what smtpd_client_connection_rate_limit is for.

> I've put the IP address in mx_access with REJECT and ran

Postfix has no mx_access parameter. If you mean
check_helo/sender/recipient_mx_access, these look up the MX host,
not the client.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: stopping an address from connecting to us

audit-3
Wietse Venema wrote:

> audit:
>  
>> My server's been getting slammed all night with requests from
>> adsl-99-162-37-137.dsl.ipltin.sbcglobal.net[99.162.37.137] and I've been
>> trying to figure out to stop it.
>>    
>
> That's what smtpd_client_connection_rate_limit is for.
>
>  
I have put the above in and we've blackholed that IP from connecting at
the router now. Now I'm trying to figure what I'm missing to stop all
the from=<> email's that keep hitting.

Jul 24 10:27:52 flatlined postfix/smtpd[5121]: connect from
unknown[200.81.211.94]
Jul 24 10:27:53 flatlined postfix/smtpd[5121]: NOQUEUE: reject: RCPT
from unknown[200.81.211.94]: 450 4.7.1 Client host rejected: cannot find
your reverse hostname, [200.81.211.94]; from=<>
to=<[hidden email]> proto=ESMTP helo=<powerb.Plan>
Jul 24 10:27:54 flatlined postfix/smtpd[5121]: disconnect from
unknown[200.81.211.94]

>> I've put the IP address in mx_access with REJECT and ran
>>    
>
> Postfix has no mx_access parameter. If you mean
> check_helo/sender/recipient_mx_access, these look up the MX host,
> not the client.
>
>  
I removed the mx_access line.
Thanks
> Wietse
>  


Reply | Threaded
Open this post in threaded view
|

Re: stopping an address from connecting to us

Wietse Venema
audit:

> I have put the above in and we've blackholed that IP from connecting at
> the router now. Now I'm trying to figure what I'm missing to stop all
> the from=<> email's that keep hitting.
>
> Jul 24 10:27:52 flatlined postfix/smtpd[5121]: connect from
> unknown[200.81.211.94]
> Jul 24 10:27:53 flatlined postfix/smtpd[5121]: NOQUEUE: reject: RCPT
> from unknown[200.81.211.94]: 450 4.7.1 Client host rejected: cannot find
> your reverse hostname, [200.81.211.94]; from=<>
> to=<[hidden email]> proto=ESMTP helo=<powerb.Plan>
> Jul 24 10:27:54 flatlined postfix/smtpd[5121]: disconnect from
> unknown[200.81.211.94]

http://www.postfix.org/BACKSCATTER_README.html may have some usable
suggestions.

        Wietse