ClearFoundation

Hi all.

I'm looking for some advice.

Over the past few weeks I've noticed a HUGE increase in rejected mail. (From less than 30 rejected to multiple thousand per day)

While this is great that COS 5.2 is catching the email bombs and greylist/postgrey is doing it's job, it is beginning to bother me.

I can identify all the problem IP addresses and have created a list.

Is there something that I can do in a proactive fashion or should I let it go and hope it dies out after a time? My thoughts were perhaps (1) blanket block these IP addresses at the firewall; (2) do something with the IDS to specifically block these IPs for a period of time or.....

What would you recommend?

Thanks in advance.

I have not tested what i'm about to suggest, but might be worth looking into.

I have noticed that my server was targeted once or twice, but i dont run anything crucial on this setup (VM on a home server for testing), and there wasnt much i could do, but I'm considering using ProxMox Mail Gateway in front of ClearOS. Like i said, i have not even tested this yet, but its an idea.

www.proxmox.com/products/proxmox-mail-gateway

Check this post out: here using spamcop and other rbls might help... good luck

Thank you Rodrigo and Bob.

For the time being I don't think I'll add ProxMox. I'll try the changes to postfix main.cf first.

I've added a bunch of stuff to the bottom of the postfix main.cf and I hope it will help. Thanks again for pointing out those threads. I didn't put this problem and those solutions together until you highlighted them.

I've collected the problem IP addresses for 6 weeks now so could blanket block these at the firewall but I'm not sure how to do this except via the webconfig window. That would take some time since I have a very very long list. Not sure how to update it properly from the command line.

Now I have to figure out how to update the sinokorea.cidr on a regular basis.

Thanks again for your help.

Hi.

I've updated postfix and added the rbls. I've also added a bunch of rules to snort & snortsam so that repeated attempts are blocked for a period of time.

But some IPs I'd like to block indefinitely. At the moment, many of the problem spam and repeated smtp login attempts are coming from Argentina & Mexico. I don't have these two countries in my block country list but I'm thinking of add them if this continues.

I've collected a list of 722 IPs that are a problem and would like to block these using the firewall. I've manually added a bunch to webconfig window Network/Incoming/Block. Adding 722 will take a week.

I'm wondering how I can add these to one of the firewall rule files manually so that I don't have to add these via the webconfig window Network/Incoming/Block?

I've read that user rules should be put into rc.firewall.local. But I don't see any rules there at all. I suspect I'd have to figure out how to do IPTABLE command to add rules to rc.firewall.local.

When I look at /etc/firewall I see all the blocked sites that I've added already via webconfig. Can't I add these 722 IPs to the /etc/firewall manually if I follow the format:

Name|Group|Flags|Protocol|Address|Port|Parameter ? Will these be over written when COS is updated?

Is this a stupid place to put these block rules? Or should I be trying to figure out how to put it rc.firewall.local?

Thanks for your help.

The file to use is rc.firewall.local. Note that any script can go here and be run after iptables loads. It does not just have to iptables rules. In principle put all your IP's in a file then write a mini bash script. I'm not at home so cannot look at any of my scripts or do any testing, but you'll want something like:My script writing has a lot of trial and error in it so you may find my for loop is not remotely correct but I hope it gives you the idea.

[edit]
Scriptlet checked and quotes removed from for line.
[/edit]