- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Secure Endpoints from
the Sunburst Attack
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Is there a way to set a trip guard on SMTP connections and start blocking a source IP address after N failures on the SMTP protocol? SAM blocking comes to mind here.
The issue is I have a mail server (Barracuda Email Security Gateway) that gets hammered on every now and again by some silly system that tries hundreds of relay attempts with credential guessing. The barracuda blocks them after a few attempts but my log on the box fills up rather fast this way. I was just curious if there is way to block this in R80.10 with one of the blades.
Or do I need to get some extra logic device that will correlate the syslog events of the Barracuda and fire up a SAM blocking action? (Do I have a business case for Splunk here 😉
Check out the fw samp and sim_dos commands. You can establish a quota in SecureXL that will throttle/limit these connections and essentially tarpit them. Once the spammer realizes you are doing this, they will go out of their way to leave you alone since you are slowing down their flow of spam.
My first attempt is ... interresting:
[Expert@fw01:0]# fw samp add -a d -l r quota service tcp/25 new-con-rate 1 track source
Segmentation fault (core dumped)
(I allready had a core dump this morning. So I wasn't looking for another one 😉
Hmm I'd say so. Firewall version? Shouldn't that be new-conn-rate and not new-con-rate? Although a seg fault is not exactly an appropriate response an incorrect parameter...
--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon
After HFA 56 it does not perform any core dumps.
What is the command to execute for 80.20 FW version, Gaia OS. 5200. I also want to rate limit my smtp traffic. But some of these commands have changed in 80.20.
Thanks!
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY