Brute force attacks
Every now and then, I notice a huge peak in my incoming network traffic, which usually comes with a big-ish peak in CPU use and in IO. When I check the logs, they are almost always hits against the firewall, on port 25 (usually) from a few different IP addresses.
I'm pretty confident about my security (iptables in place, non-custom ports being used -but most services closed to the outside-), though I'm sure there's space for improvement.
But my concern right now is if there is a way to tell iptables to stop logging after x hits by a single IP, or if there is a way to "ignore" this traffic. Is this a good idea? Or is it better to sacrifice the CPU and IO usage in order to actually have logs in case something goes wrong?
Also, as I'm pretty new to this, is this usual? Is there something I can do to avoid it?
Thanks!
Reven
3 Replies
iptables -A INPUT -m limit --limit 10/minute -j LOG
This rule matches any packet (which is overkill; in practice you'll want to use additional paramaters to match just what you're dropping), but only at a rate of ten per minute. Packets exceeding this rate will not be logged. It's a rather naive approach in that it doesn't care whether the packets are identical (that is, it doesn't check that the suppressed log lines are repeats or are different) or that they even come from the same source. But it may be what you're looking for.
I imagine that the attempts to connect to port 25 are just spambots. I'm a bit surprised that it would cause such CPU usage, but that may depend on your firewall configuration.
@Vance:
I imagine that the attempts to connect to port 25 are just spambots. I'm a bit surprised that it would cause such CPU usage, but that may depend on your firewall configuration.
I'm pretty sure the CPU and I/O usage comes from his FW attempting to track and log the brute force attempts. I've seen machines go down when trying to track high traffic…not just because of the high number of attempts but because of the total package…high traffic, the logging of the high traffic to a file, the stateful connection tracking of such traffic, etc.
If it were coming from one (or several) domain(s), maybe he could create a rule to block and not log that one (or several) domain(s).