 | | | SMTP Attacks | SMTP Attacks 2006-10-24 - By Oliver B.
Back
Hello Rick,
could you please post these networks :)!?
Thank you
Cheers
Oliver
>> >> In the past week, I've seen log entries like this pretty much every
>> day.
>> >> This is on a Fedora 4 system. I'm running sshblack to get rid of the
>> >> thousands of ssh breaking attempts and have been using the included
>> bl
>> >> command to add these ip addresses to the block list (which adds them
>> to
>> >> iptables with instructions to drop the packets). Is that worthwile?
>> >> Should
>> >> I do anything else? Again, these have only started showing up this
>> week.
>> >>
>> >> Thanks!
>> >>
>> >> Harold
>> >>
>> >> WARNING!!!! Possible Attack:
>> >> Attempt from 235.30.broadband2.iol.cz [83.208.30.235] with:
>> >> command=HELO/EHLO, count=3: 1 Time(s)
>> >> Attempt from 46.173.broadband6.iol.cz [88.101.173.46] with:
>> >> command=HELO/EHLO, count=3: 1 Time(s)
>> >> Attempt from [12.166.98.246] with:
>> >> command=HELO/EHLO, count=3: 1 Time(s)
>> >> Attempt from dslb-082 (See http://slb-082.ora-code.com)-083-067-104.pools.arcor-ip.net
>> [82.83.67.104]
>> >> with:
>> >> command=HELO/EHLO, count=3: 1 Time(s)
>> >> Attempt from laly-s.bb.netvision.net.il [212.143.166.250] with:
>> >> command=HELO/EHLO, count=3: 1 Time(s)
>> >> Attempt from p54BB98E4.dip0.t-ipconnect.de [84.187.152.228] with:
>> >> command=HELO/EHLO, count=3: 1 Time(s)
>> >> Total: 6 Time(s)
>> >>
>> >> **Unmatched Entries**
>> >> 87-126-13-210.btc-net.bg [87.126.13.210] (may be forged):
>> possible
>> >> SMTP attack:
>> >> command=HELO/EHLO, count=3: 1 Time(s)
>> >
>> > I'm unclear on this. What does SMTP have to do with SSH? Normally
>> > your SMTP server (sendmail, postfix, etc.) is open to the world,
>> > though it will pass only what mail it is configured to pass.
>> >
>> > That said, I use sshblack (checking SSH access) on several of the
>> > hosts that I manage, though I have it make an entry in /etc/hosts.deny
>> > rather than IPTABLES. I have it set to stop the blighters after six
>> > failed tries. The attempts show up in my logwatch reports, and then I
>> > do a whois on the IP address (either website or command line) to find
>> > out the email address for the abuse contact for that network. Then I
>> > send them a nastygram with log excerpts.
>> >
>> > Because I never expect to need SSH access from a foreign network, I
>> > block SSH access to all foreign networks.
>> >
>>
>>
>> Sorry if my note was confusing! sshblack is working very well for me
>> blocking ssh attacks. Down from thousands a day to something like 5 from
>> each new IP address that tries (a half dozen a day). I also have another
>> copy of sshblack watching my httpd access log for URLs that contain the
>> word "echo" or have Microsoft directory names in them (WINNT, etc.).
>> These
>> also get added to the drop list in iptables.
>>
>> sshblack includes a simple script called "bl". You use it something like
>> "bl 1.2.3.4" to add IP address 1.2.3.4 to the list of addresses dropped
>> by
>> IP tables. I have been manually adding the IP addresses listed in the
>> suspected SMTP attacks reported in the logs.
>>
>> So, from the log reports above, what's going on? I'm running sendmail on
>> an FC4 system. Anything I need to worry about?
>
> This is not untypical behavior for mail servers. What you're seeing are
> machines trolling around for open relay mail servers. The fact that
> they're coming from eastern Europe and are using broadband connections
> is pretty conclusive. For that reason, I have huge parts of eastern
> Europe, Brazil, Korea, Japan and China blocked (I have at least 12 /8
> networks blocked).
>
> Welcome to the Internet. :-(
>
> -- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
> - Rick Stevens, Senior Systems Engineer rstevens@(protected) -
> - VitalStream, Inc. http://www.vitalstream.com -
> - -
> - Microsoft Windows: Proof that P.T. Barnum was right -
> -- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
>
> __ ____ ____ ____ ____ ____ ____ ____ ____ ____
> Redhat-install-list mailing list
> Redhat-install-list@(protected)
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request@(protected)
> Subject: unsubscribe
>
>
__ ____ ____ ____ ____ ____ ____ ____ ____ ____
Redhat-install-list mailing list
Redhat-install-list@(protected)
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@(protected)
Subject: unsubscribe
|
|
|