Blocking port 25 scanners

From The Network People, Inc. - Wiki
Jump to navigation Jump to search

How it's used

This script is run in one of two ways:

1. Under tcpserver as a supervised daemon, and it listens on port 25 of IPs that don't have MX records. So it catches nasties that scan IP space for mail servers before it ever hits my real mail server. Go ahead and telnet to port 25 of 72.29.111.130 and see what happens (but do NOT do it from your mail server, else you won't be able to email me for a few days).

2. by other scripts, which pass in an IP as the first argument.


Script

#!/bin/sh
# by matt@tnpi.net - 02/27/2007

PFCTL="/sbin/pfctl"
BAD_IP=$1
MESSAGE="Added $BAD_IP to the spamd table."

if [ -z $BAD_IP ]; then
        BAD_IP=$TCPREMOTEIP
        MESSAGE="Hi $BAD_IP. You came, you probed, and now you are blacklisted."
fi

if [ -z $BAD_IP ]; then
        echo "usage: $0 ip.ad.dr.ess"
        exit 1
fi

# add them to the PF spamd table
$PFCTL -q -t spamd -Tadd $BAD_IP

echo $MESSAGE

# kill all state entries for the blocked host
$PFCTL -q -k $BAD_IP

exit 1