Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been running a small (mostly just me!) mail/web/game server for years. I get a lot of login attempts on SMTP 25 (I'm running sendmail). On my server, the only legitimate use for logging in on port 25 is Webmail sending a message - and it logs in from/to localhost.
Is there a reasonably easy way to tarpit login attempts on port 25 that aren't coming from 127.0.0.1 / on the loopback interface, while leaving non-login (incoming) mail delivery alone?
You can't "log in" to a sendmail box on port 25. All you can do is connect to the sendmail daemon and issue commands that it understands.
Code:
user@sendmail ~]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 sendmail.domain.com ESMTP Sendmail 8.14.4/8.14.8; Tue, 3 Mar 2015 10:53:47 -0600
ehlo x
250-sendmail.domain.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
Connection closed by foreign host.
Tarpitting is something you do to slow down spammers once they know sendmail is there. I think you mean you'd like to block some foreign IP space from even making a connection.
Here's one way of doing that:
Code:
#!/bin/bash
### Block all traffic from AFGHANISTAN (af) and CHINA (CN) and RUSSIA (RU). Use ISO code ###
ISO="af cn ru"
### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
# clean old rules
cleanOldRules
# create a new iptables list
$IPT -N $SPAMLIST
for c in $ISO
do
# local zone file
tDB=$ZONEROOT/$c.zone
# get fresh zone file
$WGET -O $tDB $DLROOT/$c.zone
# country specific log message
SPAMDROPMSG="$c Country Drop"
# get
BADIPS=$(egrep -v "^#|^$" $tDB)
for ipblock in $BADIPS
do
$IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
$IPT -A $SPAMLIST -s $ipblock -j DROP
done
done
You could put rules in your /etc/sysconfig/iptables, instead:
Code:
-A INPUT -s 182.61.0.0/16 -j LOG
-A INPUT -s 182.61.0.0/16 -j DROP
When I said "log in", I was referring to SMPT AUTH - provide a username and password to get higher-than-nobody privileges, like sending outgoing mail. I get dozens or hundreds of AUTH attempts a day (once got 13,000+), and NONE are legitimate. The spammers/crackers know the server is there. Yes, I'd like to tarpit them, based on the fact that they are performing illegitimate AUTH attempts (any AUTH attempt is illegitimate here!). Since I don't necessarily know all countries where legitimate email is coming from, I don't want to block connections by country.
Summary - "login" meaning AUTH, and tarpit meaning tarpit.
When I said "log in", I was referring to SMPT AUTH - provide a username and password to get higher-than-nobody privileges, like sending outgoing mail. I get dozens or hundreds of AUTH attempts a day (once got 13,000+), and NONE are legitimate. The spammers/crackers know the server is there. Yes, I'd like to tarpit them, based on the fact that they are performing illegitimate AUTH attempts (any AUTH attempt is illegitimate here!). Since I don't necessarily know all countries where legitimate email is coming from, I don't want to block connections by country.
Summary - "login" meaning AUTH, and tarpit meaning tarpit.
You can use fail2ban to block repeating offenders IPs for a certain amount of time
If the only "login" is from the local host, you could set the sendmail configuration to only listen on localhost, rather than the default of any network connection.
You can also use IP tables to just drop any connection to port 25 on any interface EXCEPT "lo".
If the only "login" is from the local host, you could set the sendmail configuration to only listen on localhost, rather than the default of any network connection.
You can also use IP tables to just drop any connection to port 25 on any interface EXCEPT "lo".
The tough part of the configuration is that it needs to accept incoming mail (addressed to accounts on this server) on port 25, while not permitting any AUTH attempt to succeed if it's not coming from localhost. I'm not positive that an AUTH command from localhost needs to be permitted - I'll have to look at SquirrelMail's requirements for outgoing mail.
Ideally I'd like to tarpit the illegitimate AUTH attempts, as an attempt to slow down the crackers. My second choice would be to simply not allow AUTH attempts on non-localhost connections.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.