03-15-2013 10:57 AM - edited 03-11-2019 06:14 PM
IOS Firewall (ZBF) Limit SMTP connections from same IP
Hello,
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
postfix/smtpd[123456]: connect from (...)
(...)
postfix/smtpd[123456]: lost connection after AUTH from (...)
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" ...
Thanks for your input : )
03-23-2013 09:41 AM
TAC Service Request opened today ... Let's wait for the professional solution.
03-23-2013 12:55 PM
Hi,
yes, surely you can.
you can limit the smtp connections in ZBFW for specific IP and a specific period (one minute):
-- access-list 100 permit ip host
-- class-map type inspect match-all smtp_class
match protocol smtp
match access-group 100
-- parameter-map type inspect smtp_par_map
one-minute high
-- policy-map type inspect smtp_policy
class smtp_class
inspect smtp_par_map
Hope this helps, please let's know if this works with your requirement,
Mashal
03-27-2013 07:05 AM
Hi Mashal,
thanks !
This limits the general a fixed source IP to a fixed destination IP.
> I search for some more complexity - from a single detected IP to a fixed destination.
With your configuration is the complete smtp connection stopped, if one spammer breaks the limit. All the others have no access anymore.
Example:
x.x.x.x tries to connect with more than 100 smtp connection to our e-mail server y.y.y.y. Only 100 connetions can be established for the IP x.x.x.x.
- all further connections from the IP x.x.x.x are blocked becauase of the limit and for 120 seconds
- but alle other IPs are not blocked
Is it possible to closed the access for the detected IP source ?
03-27-2013 12:35 PM
Hello,
You mean detected automatically??? No, for that you will need another device or feature such as an IPS/IOS-IPS.
You could configure a policy manually for that IP making reference to the parameter-map previously defined but dinamically there is no way,
Regards,
Julio
03-28-2013 02:24 AM
> You mean detected automatically???
It's the same process used for "stateful connections" or "inspect". Yes - that's automatically.
> No, for that you will need another device or feature such as an IPS/IOS-IPS.
IPS, yes - that's what I need. Did you/someone configure IPS relating to my question. Would be nice to get some input - Thanks !
03-28-2013 09:19 AM
Hello,
1)No, because what you are looking for is the firewall to identify who is doing more than X amount of connections to one of your boxes so it can apply some protection,
You will need to add manually who is the host, that is my point.. No way to just say to the firewall learn it .
It's way different that the usage of the stateful table, we are trying to cover here a DoS attack,it's different.
2)Yes, I have worked with IPS's as well... Do you have one, what is the model you have?
03-28-2013 11:58 AM
Hello,
ok -
1) This problem (see first post) can be solved with any DoS solution on smtp-connections ?
2) Think IPS is just another area - sorry, maybe it has mixed up a little. We have an IOS-IPS license with out IOS 15.x on the CISCO 1921 - but it was not as performace as we aspected.
03-28-2013 12:04 PM
1) It can be done as specified by Mashal but it will be applied to all the connections or the ones you configure manually Only
2) Okay got it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide