IOS Firewall (ZBF) Limit SMTP connections from same IP

NISITNETC · ‎03-15-2013

Hello,

we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like

postfix/smtpd[123456]: connect from (...)

(...)

postfix/smtpd[123456]: lost connection after AUTH from (...)

in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.

Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" ...

Thanks for your input : )

NISITNETC · ‎03-23-2013

TAC Service Request opened today ... Let's wait for the professional solution.

malshbou · ‎03-23-2013

Hi,

yes, surely you can.

you can limit the smtp connections in ZBFW for specific IP and a specific period (one minute):

-- access-list 100 permit ip host

-- class-map type inspect match-all smtp_class

match protocol smtp

match access-group 100

-- parameter-map type inspect smtp_par_map

one-minute high

-- policy-map type inspect smtp_policy

class smtp_class

inspect smtp_par_map

Hope this helps, please let's know if this works with your requirement,

Mashal

------------------ Mashal Shboul

NISITNETC · ‎03-27-2013

Hi Mashal,

thanks !

This limits the general a fixed source IP to a fixed destination IP.

> I search for some more complexity - from a single detected IP to a fixed destination.

With your configuration is the complete smtp connection stopped, if one spammer breaks the limit. All the others have no access anymore.

Example:

x.x.x.x tries to connect with more than 100 smtp connection to our e-mail server y.y.y.y. Only 100 connetions can be established for the IP x.x.x.x.

- all further connections from the IP x.x.x.x are blocked becauase of the limit and for 120 seconds

- but alle other IPs are not blocked

Is it possible to closed the access for the detected IP source ?

Julio Carvajal · ‎03-27-2013

Hello,

You mean detected automatically??? No, for that you will need another device or feature such as an IPS/IOS-IPS.

You could configure a policy manually for that IP making reference to the parameter-map previously defined but dinamically there is no way,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

NISITNETC · ‎03-28-2013

> You mean detected automatically???

It's the same process used for "stateful connections" or "inspect". Yes - that's automatically.

> No, for that you will need another device or feature such as an IPS/IOS-IPS.

IPS, yes - that's what I need. Did you/someone configure IPS relating to my question. Would be nice to get some input - Thanks !

Julio Carvajal · ‎03-28-2013

Hello,

1)No, because what you are looking for is the firewall to identify who is doing more than X amount of connections to one of your boxes so it can apply some protection,

You will need to add manually who is the host, that is my point.. No way to just say to the firewall learn it .

It's way different that the usage of the stateful table, we are trying to cover here a DoS attack,it's different.

2)Yes, I have worked with IPS's as well... Do you have one, what is the model you have?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

NISITNETC · ‎03-28-2013

Hello,

ok -

1) This problem (see first post) can be solved with any DoS solution on smtp-connections ?

2) Think IPS is just another area - sorry, maybe it has mixed up a little. We have an IOS-IPS license with out IOS 15.x on the CISCO 1921 - but it was not as performace as we aspected.

Julio Carvajal · ‎03-28-2013

1) It can be done as specified by Mashal but it will be applied to all the connections or the ones you configure manually Only

2) Okay got it

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC