[TriLUG] defense against dictionary attacks?

[Jon Carnes]

On Fri, 2004-06-25 at 16:14, Aaron S. Joyner wrote:

> In general, we see an awful lot of dictionary attacks here at Intrex, 
> and it's not something we process the logs or firewall against to 
> block.  Be very careful with setting up automated systems that monkey 
> with your firewall rules, it can have very unfortunate results if 
> someone decides to exploit the way you have it setup, and even more 
> likely, accidents and floods of mail to users who don't exist do happen 
> naturally.  Twould be bad to block yahoo or aol because some newbie on 
> their service made a few typos or cut-n-pasted his mother's address 
> wrong 50 times into his forwarding list (stranger things have happened).
> 
> Also, note that processing the logs during a dictionary attack can get 
> very processor-intensive, especially if you're not careful in your regex 
> writing (I didn't even look closely at Jon's example, this in no way 
> should be interpreted as a reflection on his code).  Just be careful 
> that you're not doing more work in defense, than you're saving from the 
> minimal overhead of "550 user not found in local recipients table".  :)
> 
> Either way, I'm curious to hear how it turns out.  :)
> Best of luck,
> Aaron S. Joyner

You could expand the earlier script and add a nospamdb file (using ip's
that should be ignored by the script. To do so, simply add a line to
exit the script if the ip is in your nospamdb file:
  if (`grep -wq $BADIP nospamdb`); then exit; fi

Also, with a bit of trial and error you can gauge just how many entries
will be in your info file after a minute of being attacked, and instead
of grepping the whole file, you can simply grep the end of the file. To
grep the last 200 entries:
  tail -200 $INFO |grep $ENTRIES |grep " 550 " | ...

This is extremely fast and makes the script take under a second to
execute.

Jon