Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hugo_vd_Kooij
Advisor

Blocking SMTP connections

Is there a way to set a trip guard on SMTP connections and start blocking a source IP address after N failures on the SMTP protocol? SAM blocking comes to mind here.

The issue is I have a mail server (Barracuda Email Security Gateway) that gets hammered on every now and again by some silly system that tries hundreds of relay attempts with credential guessing. The barracuda blocks them after a few attempts but my log on the box fills up rather fast this way. I was just curious if there is way to block this in R80.10 with one of the blades.

Or do I need to get some extra logic device that will correlate the syslog events of the Barracuda and fire up a SAM blocking action? (Do I have a business case for Splunk here 😉

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
6 Replies
Timothy_Hall
Champion
Champion

Check out the fw samp and sim_dos commands.  You can establish a quota in SecureXL that will throttle/limit these connections and essentially tarpit them.  Once the spammer realizes you are doing this, they will go out of their way to leave you alone since you are slowing down their flow of spam.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Hugo_vd_Kooij
Advisor

My first  attempt is ... interresting:

[Expert@fw01:0]# fw samp add -a d -l r quota service tcp/25 new-con-rate 1 track source
Segmentation fault (core dumped)

(I allready had a core dump this morning. So I wasn't looking for another one 😉

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Timothy_Hall
Champion
Champion

Hmm I'd say so.  Firewall version?  Shouldn't that be new-conn-rate and not new-con-rate?  Although a seg fault is not exactly an appropriate response an incorrect parameter...

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Hugo_vd_Kooij
Advisor

After HFA 56 it does not perform any core dumps.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Keith_Mcdonald
Participant

What is the command to execute for 80.20 FW version, Gaia OS. 5200.   I also want to rate limit my smtp traffic. But some of these commands have changed in 80.20. 

Thanks!

 

 

0 Kudos
Keith_Mcdonald
Participant

Here is the corrected syntax for smtp connections coming in. 

fw samp add -a d -l r quota service 25 source any new-conn-rate 1 track source flush true

 80.20 this works on. Please apply this to your gateways.  The flush true at the end will ensure the rule gets applied immediately.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events