As a system admin who maintains production Linux servers, there are circumstances where you need to selectively block or allow network traffic based on geographic locations.For example, you are experiencing denial-of-service attacks mostly originating from IP addresses registered with a particular country.
I have a small mail server at home and quite a restrictive filtering rules. I use logwatch and could see that 80 to 90% connections are rejected by my restrictive filtering rules. Most rejection result from rbl_client.
I'm desperately looking for a fail2ban configuration file example showing how to filter IPs spamming my server. I wish the ban would be for a long period (i.e. 1 month).
I also had a SYN flooding attempt on my mail server that I blocked using a firewall rule set by hand. Could fail2ban detect these too ?
chmikechmike
migrated from serverfault.comApr 2 '13 at 8:42
This question came from our site for system and network administrators.
2 Answers
I've just got sick of all the RBL spammers filling my logs, so I've setup my Postfix to ban them.
After doing so, load dropped because they were a lot!
Be aware that you have to implement some way of cleaning the banned list.
I'm planing to restart fail2ban on weekly basis.
Check out these rules: http://www.fail2ban.org/wiki/index.php/Postfix
Add them in: /etc/fail2ban/filter.d/postfix.conf (that's in Debian System!)
Also good to read this (search for fail2ban): http://workaround.org/ispmail/squeeze/sysadmin-niceties (some snippets from there).
In short:
- In jail.conf set:
- Good to do if you're using dovecot (from link above):Create /etc/fail2ban/filter.d/dovecot-pop3imap.conf and add to it:
- Add section in jail.conf or jail.local:
- Restart fail2ban and check iptables -nvL if the chains for postfix and courier are added.BEWARE: This is for Debian based systems. Check files paths for RH or others.
user326443
Anton ValqkAnton Valqk
A better way is to just use Postfix to filter IPs using blocklists.
See http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions to reject using blocklist(s).
If you really wanted to, you could use a Fail2Ban filter like f2b-postfix-rbl (postfix-rbl.conf) to filter the mail log for blocklist/blacklisted IP entries. It would then insert a new entry into iptables and it weould be blocked for given ban time.
As mentioned, this probably will not do much as the script/bot/mailer will just move on after 1st failure and try you again on a different day from a different IP. Also, it's redundant since you can filter using MTA as mentioned above.
Here is a sample of some block lists you could add under postfix to block blacklisted IPs.
/etc/main.cf:
If you insist on fail2ban processing blocklists, make sure you enable it under a /etc/failban/jail.local:
To use rbl 'mode' under newer versions, substitute the filter line with:
On earlier versions I had to change mine to detect '554 5.7.1' to pick up postfix log rejects via 'postifx-rbl' filter. The newer version of filter seems to scan for this change under newer rbl 'mode' versions.
As far as SYN flood - see this.
bsheabshea
Not the answer you're looking for? Browse other questions tagged postfix or ask your own question.
I have a web app that has no users in the Philippines, but is constantly bombarded by spammers, carders testing cards, and other undesirable activity from there. I can see in the logs that they have IPs in the Philippines and are initially finding my site via google.ph or other
.ph
sites.I have pretty good filters and security checks in place, so they don't really cause much damage, but nonetheless, I'm really getting tired of it. They use up bandwidth, fill up my database, abuse logs, and security logs with crap, waste my time terming accounts, etc.
While the vast majority of Philippine citizens aren't spammers, and I can't just block every country that annoys me, at this point, I think the solutions is simply to block all traffic from the Philippines to my webapp. (I know blocking entire countries' IP blocks is not a great practice, and has many problems, but for this country, I want to make an exception.)
(I know they could spoof their IP address, but at least I can make them work for it a bit.)
I know there are a few geoip services out there. Anyone know of any free or inexpensive services? Or any other way to filter out traffic from a specific country?
I'm running PHP on Apache 2, if it matters.
9 Answers
You could do this based on IP address using a free IP Locatin API like IPInfoDB http://ipinfodb.com/index.php.
Unlike most of the other posters here, I'm not going to tell you this is a bad idea, that you shouldn't do it, that it won't solve your problem, or that you should do something else. Here's what happened to us:
Individuals from China and Korea (or using proxies in China and Korea, anyway) kept annoying us. Portscanning, crawling our websites looking for vulnerabilities, making login attempts, etc. I tried to ignore them (fail2ban takes care of them usually) but at some points they were hitting us so hard that it effectively turned into a DoS attack. When you have hundreds of connections at once from people trying to use your webserver as a proxy, trying to SSH into your machine, trying random usernames and passwords, it tends to weigh on the site. I eventually got fed up.
We don't get any legitimate traffic from China or Korea; our company doesn't sell there (we're e-commerce) so there was no risk of losing legitimate traffic, so I figured it was easier to block them ahead of time instead of waiting for them to be dicks.
- Visited http://ip.ludost.net/ and downloaded their IP<->country database.
- Extracted all Chinese and Korean IP address ranges.
- Installed the ipset module for netfilter
- Built ipset dumps for China and Korea (see below)
- Added rules to iptables to silently drop any traffic from those sets.
And that's it. Our problem users went away, load on the network and the server was decreased, and we weathered the Christmas season without difficulty.
Note 1: you can do this with regular iptables (i.e. without ipset) but it's more computationally expensive than using ipset.
Note 2: This is how the dumps look (ipset will generate these for you if you want):
Note 3: We use a nethash because all of our ranges are stored as CIDR blocks. If you don't want to convert them to CIDR, you can use an iptreemap instead, but I imagine that might be less efficient if you're getting a lot of traffic.
How do you fix a bug in code?
Like so?
Bug:Add(2,2) returns 0, should return 4.
Fixed code:
Obviously not. You don't just create a teetering monstrosity of special cases, that's enormously fragile and a recipe for disaster. You also don't just patch TODAY'S symptom of the underlying problem.
Instead, figure out the root cause, and fix that. This is far more robust than any hacky special-case patch you could implement.
Why is your web app vulnerable to spam? What characteristics make it vulnerable? What characteristics make it a valuable target? Are there ways you can change those characteristics to make your app more robust against spam and less of a tempting target? Almost certainly the answer to these questions is yes. Add validation chains to your forms, use a captcha intelligently, randomize urls and/or parameter names to make them unfriendly to bots. There are millions of ways to approach this problem, I'm sorry to say you have chosen one of the least valuable, least useful, and most fragile solutions out there.
First, I would strongly suggest not doing this.
As others have far more eloquently put, blocking a specific country doesn't fix the problem , it just defers it slightly. Also, when users from that country see you've blocked them specifically, it will only motivate them to cause you more problems.
That said, if you really want to do this, IPinfoDB provide a free IP geolocation database,
First, would be to locate a IP simply by country.
You would search this way :
Or
Second, you might want to get the IP of a specific country to generate a blocklist with iptable, htaccess file or whatever you use. It would be done like this :
which would give you :
You should use products like fail2ban to key off errors you throw in your web application indicating a spamming attempt is underway. This will block the IP for a period of time, making your site resistant, but not blanket blocking entire IP blocks.
A couple of solutions:
- exclude some IPs in Apache configuration with mod_access
- use GeoIp directly from Apache: http://www.maxmind.com/app/mod_geoip
- Exclude some IPs from Linux iptables directly. This is more risky if you have remote access only, you could lock yourself ou of the machine
These solutions are pretty easy and quick to put in place, and free.
A longer term solution would be to detect the spam from your web application, log the IP and feed your iptables to block them automatically.
Did you consider finding who is operating the networks you are being attacked from ? Find the 'abuse' contact using whois and report to them. Of course it may come from several networks, but it also may worth it if you see some recurring addresses / network blocks.
You have every right to block IP addresses from whatever reason you can justify for yourself. It is you that provides a service and it is you who decides who can have it or not.It is perhaps questionable if this is moral but that is something you can only decide for yourself.
However blocking an IP segment because it has some geographic aspects to it sounds to me a more or less like a panic approach.
What I have done in the past is having a crawler going through my most recent logs and based on that ban individual IP's that are annoying for a period of 24 hours. If that specific IP is misbehaving again it is banned for 2 days, then 3 days, etc. etc. you get the drift.
IP's that are banned for more then a week will be mailed to me and I send an abuse mail to that service provider (who know it might even help).
I would opt for a Snort + OSSEC solution that could maintain something like this dynamically.
protected by Sven♦Feb 10 '15 at 11:28
Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
Would you like to answer one of these unanswered questions instead?