Hi! I run a heavily loaded email server which receives several connections per second. Testing antispam and antivirus for each message received consumes a lot of CPU, as you may imagine. I would want to drop connections from ofenders (IP addresses that have sent several messages with high punctuation spam during a certain period) for some time (let it be 10 minutes). I currently parse the logfile of spamassassin and issue "shorewall drop" and "shorewall allow" commands with a perl script, but I feel that the "timeout" should be controlled by a "recent" match (so offenders trying to reconnect get bigger timeouts). Can this be achieved with shorewall? Regards ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, Mar 03, 2008 at 10:24:07PM +0100, Eduardo Diaz Comellas wrote:> I currently parse the logfile of spamassassin and issue "shorewall drop" > and "shorewall allow" commands with a perl script, but I feel that the > "timeout" should be controlled by a "recent" match (so offenders trying > to reconnect get bigger timeouts). Can this be achieved with shorewall?It may be possible, but you''re trying to make a simple problem very complicated. Just use an ipset and leave it there. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield wrote:> On Mon, Mar 03, 2008 at 10:24:07PM +0100, Eduardo Diaz Comellas wrote: >> I currently parse the logfile of spamassassin and issue "shorewall drop" >> and "shorewall allow" commands with a perl script, but I feel that the >> "timeout" should be controlled by a "recent" match (so offenders trying >> to reconnect get bigger timeouts). Can this be achieved with shorewall? > > It may be possible, but you''re trying to make a simple problem very > complicated. Just use an ipset and leave it there.fail2ban may be a good option to investigate as well. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/