I have written a perl program that protects a Linux MTA running postfix.
The program snifs on /var/log/mail. If a host is doing something wrong/illegal he will be blocked for 24 hours.
Three illegal attemps in 20 minutes triggers a drop action in firewalld.
Sorry for the comments in the script being in danish.
Installation:
- Download the file autofirewall.pl
- Edit user and password for access to mysql in the file.
# ### MAIN LOOP ###
# Forbind til database
$dbh = DBI->connect(“dbi:mysql:$firewalldb”, “USER“, “PASSWD“)
or die “Kunne ikke forbinde til databasen: $firewalldb\n”; - Edit WAN ip and whitelisted ip ranges:
my $wanaddr = “aaa.bbb.ccc.ddd”; #/32
my @whitelist = (“aaa.bbb.ccc”, “aaa.bbb.ddd”); # /24 - Get sql definitions file autofirewall.sql and apply it to the autofirewall database.
- Do “chmod 555 autofirewall.pl”
- Do autofirewall.sql in mysql or MariaDB
- Add “*/10 * * * * /path/to/autofirewall.pl >> /path/to/logfile” to roots crontab
- Your MTA is now ptrotected against brute force attacks.
Update 2016/01/14:
Minor fixes and new function applied that restores the firewall after firewall flush or system reboot.
Update 2024/01/05:
Script changed to use firewallcmd.
Database structure is now on mariadb.