EMERGENCY - need to secure my server against an ongoing SPAMMER
Bob Brennan
rbrennan96 at gmail.com
Mon Mar 14 08:53:09 UTC 2005
On Mon, 14 Mar 2005 08:03:25 +0100, Roger Grosswiler <roger at gwch.net> wrote:
> Roger Grosswiler schrieb:
> > Bob Brennan schrieb:
> > [snip]
> >
> >>> Probably a good idea to shut them off semi-permanently:
> >>> add these lines to your iptables firewall:
> >>> (Note - there are more general ways to script iptables setups)
> >>> (Read "better ways", but this is a specific example)
> >>>
> >>> # Next 8 lines specific to tfn.net.tw
> >>> # Log any connection attempts by tfn,net.tw
> >>> iptables -A INPUT -i eth0 -s 219.81.0.0/16 -j LOG --log-prefix
> >>> "static.tfn.net.tw"
> >>> iptables -A INPUT -i eth0 -s 61.31.0.0/16 -j DROP -j LOG
> >>> --log-prefix "dynamic.tfn.net.tw "
> >>>
> >>> # Drop dynamic.tfn.net.tw
> >>> iptables -A INPUT -i eth0 -s 61.31.0.0/16 -j DROP
> >>> # Drop static.tfn.net.tw
> >>> iptables -A INPUT -i eth0 -s 219.81.0.0/16 -j DROP
> >
> > [/snip]
> >
> > Hi Bob,
> >
> > Good way to get the spammer of your ports ;-)
> >
> > See here 2 links, where you chan check your mailserver immediately for
> > your "open relay". There is no need to register or whatever - just type
> > your ip and go. You will see if your mailserver is secure enough or
> > which methods still could be used, to send spam via your mailserver.
> >
> > http://www.relaycheck.com/test.asp
> > http://www.antispam-ufrj.pads.ufrj.br/
> >
> > Have you built-in RBL-Support for your mailserver? This perhaps could
> > get your spammer even off your mailserver. See 3 free lists below.
> >
> > bl.spamcop.net,
> > relays.ordb.org,
> > sbl.spamhaus.org,
> >
> > btw. preferably you use by today no longer pop-before-smtp, either use
> > smtp-auth. If you authenticate your users in pop/imap against mysql you
> > COULD use the same database for smtp either.
> >
> > HTH
> > Roger
> >
> btw. doing perror 13 in shell gives the following:
>
> [roger at link ~]$ perror 13
> Error code 13: Permission denied
>
> ...i had this too, this was an issue from selinux. You could either
> disable mysql-support in selinux (system-config-securitylevel) or try to
> relabel your system. This helped me, in some way (...)
>
> /sbin/fixfiles relabel
>
> make also sure, that your /var/lib/mysql is chowned -R mysql:mysql
Hi Roger,
Thanks very much for all of the handy tips - I remember seeing the
"/sbin/fixfiles relabel" trick in previous postings on this list and I
will try that right away - I am anxious to re-enable SELinux asap.
I still got more than 500 attempts by the spammer(s) yesterday but
hopefully the iptables fix from Jeff Kinz will finally put an end to
that today. I think their persistant, but futile attempts to send
proves that it is simply Windoze zombie machines out there wasting our
time and bandwidth.
Thanks again for the help,
bob
More information about the fedora-list
mailing list