Limiting simultaneous SMTP connections
For the past three days, I've been seeing my mail server get hammered occasionally with too many simultaneous connections from various outside servers. My mail server has detected the connections as malicious and is rejecting them, but there's so many that no new valid connections can be made until the flood subsides.
I end up playing whack-a-mole with the IP addresses putting block rules in pfSense to free up the mail server.
I can't find any Snort rule which prevents this. I tried to figure out how to create a custom rule to prevent this, but I haven't been able to understand the Snort rule syntax yet.
Can anybody suggest a way to solve this problem?
Gertjan last edited by Gertjan
A little hammering on a mail server isn't necessarily a bad thing. It helps to keep you, and itself, in shape.
I'm not running myself a mail server behind pfSense, I hide it behind an empty iptables firewall (really : true, it's empty when the machine starts). I'm using world's famous fail2ban to scan the mail server log file, and when fail2ban finds suspicious actions like rejected mail connections then it will load the IP into the firewall for some time.
This is the result. Blocking some 5k IP's right now, and counting. It will be holiday soon, so some new scores will be reached in a week or so.
fail2ban scans all log files of all server type applications, from SSH to mail to web server and some others. Blocking suspicious IP's was solved a decade or two ago. Just let the tools work for you ^^
Btw : setting up the tools is one thing. You, as an admin, has to read => yep, read ! - the logs to see for new behavior, and if found one, add new filters for it. It's a never ending story. Live is hard when you don't (know how to) script.