This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
Advisor
‎2017-11-29 01:25 AM

Blocking SMTP connections

Is there a way to set a trip guard on SMTP connections and start blocking a source IP address after N failures on the SMTP protocol? SAM blocking comes to mind here.

The issue is I have a mail server (Barracuda Email Security Gateway) that gets hammered on every now and again by some silly system that tries hundreds of relay attempts with credential guessing. The barracuda blocks them after a few attempts but my log on the box fills up rather fast this way. I was just curious if there is way to block this in R80.10 with one of the blades.

Or do I need to get some extra logic device that will correlate the syslog events of the Barracuda and fire up a SAM blocking action? (Do I have a business case for Splunk here 😉

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
6 Replies
Timothy_Hall
Champion
Champion
‎2017-11-29 05:19 AM

Check out the fw samp and sim_dos commands.  You can establish a quota in SecureXL that will throttle/limit these connections and essentially tarpit them.  Once the spammer realizes you are doing this, they will go out of their way to leave you alone since you are slowing down their flow of spam.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Hugo_vd_Kooij
Advisor
‎2017-12-05 06:55 AM
In response to Timothy_Hall

My first  attempt is ... interresting:

[Expert@fw01:0]# fw samp add -a d -l r quota service tcp/25 new-con-rate 1 track source
Segmentation fault (core dumped)

(I allready had a core dump this morning. So I wasn't looking for another one 😉

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Timothy_Hall
Champion
Champion
‎2017-12-05 07:03 AM
In response to Hugo_vd_Kooij

Hmm I'd say so.  Firewall version?  Shouldn't that be new-conn-rate and not new-con-rate?  Although a seg fault is not exactly an appropriate response an incorrect parameter...

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Hugo_vd_Kooij
Advisor
‎2017-12-12 05:32 AM
In response to Timothy_Hall

After HFA 56 it does not perform any core dumps.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Keith_Mcdonald
Participant
‎2019-03-25 10:45 AM
In response to Hugo_vd_Kooij

What is the command to execute for 80.20 FW version, Gaia OS. 5200.   I also want to rate limit my smtp traffic. But some of these commands have changed in 80.20. 

Thanks!

 

 

0 Kudos
Keith_Mcdonald
Participant
‎2019-04-04 10:35 AM
In response to Hugo_vd_Kooij

Here is the corrected syntax for smtp connections coming in. 

fw samp add -a d -l r quota service 25 source any new-conn-rate 1 track source flush true

 80.20 this works on. Please apply this to your gateways.  The flush true at the end will ensure the rule gets applied immediately.

 

 

Preview file
35 KB
0 Kudos