An iptables fix for dictionary spam tactics
Use ipt_recent to block dictionary spam attacks.
We use firehol for our firewalls, so this post is somewhat specific to that product, but it can be easily adapted to fit any iptables firewall.
This is a simple idea, sparked by a dictionary attack earlier this morning that caused a client's mail server to reject new connections because it had too many open already. It uses the ipt_recent module and limits remote hosts to four connections every thirty seconds. For low volume mail servers that should be more than enough.
Simply add the following four lines before any interface or router definitions in firehol.conf.
iptables -N block_spammers iptables -A block_spammers -p tcp --dport smtp -m recent --set --name MAIL iptables -A block_spammers -p tcp --dport smtp -m recent --update --seconds 30 --hitcount 4 --name MAIL -j DROP iptables -I INPUT 1 -i eth0 -m state --state NEW -j block_spammers
