Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jorey Bump (listjoreybump.com)
Date: Sat Aug 22 2009 - 15:54:50 CDT
Martijn de Munnik wrote, at 08/22/2009 02:06 PM:
> I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx
> errors or sends to much spam it is banned in the firewall.
> failregex = reject: RCPT from (.*)\[<HOST>\]: 5\d\d
> ban time 1h
> failregex = Passed SPAM, \[<HOST>\]
> ban time 10m
> When a host is banned multiple short times it gets banned for 1 day. It
> should be easy to get this working with iptables.
While fail2ban is an excellent tool (as is the recent module in
iptables), don't go overboard. For example, keep in mind that SMTP is a
very different animal than SSH or HTTP when determining sane amounts of
time to block a host. It's relatively safe to block repeat offenders
from SSH/HTTP because they usually represent connections from individual
clients (although you might catch a proxy or network behind a NAT). But
legitimate SMTP connections tend to come from a shared resource, such as
an MTA representing thousands of clients. Don't set yourself up for a
DoS by allowing someone to easily block Gmail, AOL, etc. at your site
simply by sending a few spam messages.