How to avoid being "cut off" by

October 28, 2013 by Roberto Puzzanghera 0 comments

As you probably know spamhaus limits your smtp and DNS traffic ( for more info) and in case of big servers this can be a serious problem.

Luckily, Costel Balta sent me a solution to the problem that I'm going to paste below. In short, he suggests to dinamically create firewall rules via iptables (or better shorewall) to avoid connections from suspicious IPs in order to decrease the number of requests to the RBL lists of about 80%.

ipsets and swatch are also needed to manage iptables rules and scan your logs respectively.

A big thanks to Costel Balta for the following tutorial; this is not the first time that he posts an original idea.

First of all the ingredients:

Install using your distro's specifics (yum, apt-get, yast..).

Create the ipset:

ipset create blacklistip hash:ip timeout 86400

this command creates an ipset named  "blacklistip" with the format "hash:ip" whith a timeout of 24 hours (witch means that every ip you add to this ipset is removed after 24 hours).

Some interesting example about ipset/iptables here:
and here:

Create a configuration file for swatch :

> vi /etc/swatch.conf
# Swatch configuration file for constant monitoring

#match spamhaus
watchfor   /451 http\:\/\/
        exec ipset -exist add blacklistip $3

#match spamcop
watchfor   /451 Blocked/
        exec ipset -exist add blacklistip $3

First line of each match does just that, match any line containing that expression.
Second line execute ipset command passing   the third column of the log line (the ip address) as a parameter.

I have tried to go further by adding to blacklist also the ip that generates log lines like:

CHKUSER rejected sender: from <> remote  rcpt <> : invalid sender MX domain


CHKUSER rejected intrusion: from <> remote <[]:unknown:> rcpt <> : rcpt ignored, session over intrusion threshold

for this I added another two "WATCHFOR" to my swatch.conf :

#Look for CHKUSER bad MX, if found, block them!
watchfor /CHKUSER rejected sender/
        exec "/usr/local/bin/ipblock $_"

#Look for session over intrusion threshold, if found, block them!
watchfor /CHKUSER rejected intrusion/
        exec "/usr/local/bin/ipblock $_"

those two are passing the entire log line to the script bellow, witch extracts the IP and adds it to our ipset.

> less /usr/local/bin/ipblock
ip=`grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' $1`
ipset -exist add blacklistip $ip

start swatch :

/usr/bin/swatch -c /etc/swatch.conf --script-dir=/var/run --daemon \
--pid-file /var/run/ -t /var/log/qmail/smtpd/current

Some (of my) servers need "--awk-field-syntax " to the "swatch" start command, so the previous command should be adjusted as follows in some case

/usr/bin/swatch -c /etc/swatch.conf --awk-field-syntax --script-dir=/var/run --daemon \
--pid-file /var/run/ -t /var/log/qmail/smtpd/current

I don't know if is a perl version or swatch itself issue. 

I have also added this to /etc/rc.local.

If using shorewall, add "blacklist" to your interface in /etc/shorewall/interfaces ex:

"net     all             dhcp,physical=+,routeback,optional,blacklist"

edit/create /etc/shorewall/blacklist like this:

+blacklistip    TCP     25

you may leave out the protocol (TCP) and/or port (25) if you want to completely block the offending ip.

Adjust your shorewall.conf logging setting according to your preferences and don forget to restart shorewall.

If you are using plain iptables refer to examples on the links at the  top.

Add a comment

Recent comments
See also...
Recent posts

RSS feeds