Brute force attacks

Hi,

Every now and then, I notice a huge peak in my incoming network traffic, which usually comes with a big-ish peak in CPU use and in IO. When I check the logs, they are almost always hits against the firewall, on port 25 (usually) from a few different IP addresses.

I'm pretty confident about my security (iptables in place, non-custom ports being used -but most services closed to the outside-), though I'm sure there's space for improvement.

But my concern right now is if there is a way to tell iptables to stop logging after x hits by a single IP, or if there is a way to "ignore" this traffic. Is this a good idea? Or is it better to sacrifice the CPU and IO usage in order to actually have logs in case something goes wrong?

Also, as I'm pretty new to this, is this usual? Is there something I can do to avoid it?

Thanks!

Reven

3 Replies

Look into something like fail2ban or denyhosts

Fail2ban and denyhosts are valuable. A simpler approach to the specific log question would be to use the limit module in your logging rule. For example:

iptables -A INPUT -m limit --limit 10/minute -j LOG

This rule matches any packet (which is overkill; in practice you'll want to use additional paramaters to match just what you're dropping), but only at a rate of ten per minute. Packets exceeding this rate will not be logged. It's a rather naive approach in that it doesn't care whether the packets are identical (that is, it doesn't check that the suppressed log lines are repeats or are different) or that they even come from the same source. But it may be what you're looking for.

I imagine that the attempts to connect to port 25 are just spambots. I'm a bit surprised that it would cause such CPU usage, but that may depend on your firewall configuration.

@Vance:

I imagine that the attempts to connect to port 25 are just spambots. I'm a bit surprised that it would cause such CPU usage, but that may depend on your firewall configuration.

I'm pretty sure the CPU and I/O usage comes from his FW attempting to track and log the brute force attempts. I've seen machines go down when trying to track high traffic…not just because of the high number of attempts but because of the total package…high traffic, the logging of the high traffic to a file, the stateful connection tracking of such traffic, etc.

If it were coming from one (or several) domain(s), maybe he could create a rule to block and not log that one (or several) domain(s).

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct