SMTP Attacks

Bob McClure Jr bob at bobcatos.com
Tue Oct 24 15:14:47 UTC 2006 

On Tue, Oct 24, 2006 at 05:32:28AM -0700, Harold Hallikainen wrote:
> In the past week, I've seen log entries like this pretty much every day.
> This is on a Fedora 4 system. I'm running sshblack to get rid of the
> thousands of ssh breaking attempts and have been using the included bl
> command to add these ip addresses to the block list (which adds them to
> iptables with instructions to drop the packets). Is that worthwile? Should
> I do anything else? Again, these have only started showing up this week.
> 
> Thanks!
> 
> Harold
> 
> WARNING!!!!  Possible Attack:
>     Attempt from 235.30.broadband2.iol.cz [83.208.30.235] with:
>        command=HELO/EHLO, count=3: 1 Time(s)
>     Attempt from 46.173.broadband6.iol.cz [88.101.173.46] with:
>        command=HELO/EHLO, count=3: 1 Time(s)
>     Attempt from [12.166.98.246] with:
>        command=HELO/EHLO, count=3: 1 Time(s)
>     Attempt from dslb-082-083-067-104.pools.arcor-ip.net [82.83.67.104] with:
>        command=HELO/EHLO, count=3: 1 Time(s)
>     Attempt from laly-s.bb.netvision.net.il [212.143.166.250] with:
>        command=HELO/EHLO, count=3: 1 Time(s)
>     Attempt from p54BB98E4.dip0.t-ipconnect.de [84.187.152.228] with:
>        command=HELO/EHLO, count=3: 1 Time(s)
>          Total:  6 Time(s)
> 
>  **Unmatched Entries**
>     87-126-13-210.btc-net.bg [87.126.13.210] (may be forged): possible
> SMTP attack:
> command=HELO/EHLO, count=3: 1 Time(s)

I'm unclear on this.  What does SMTP have to do with SSH?  Normally
your SMTP server (sendmail, postfix, etc.) is open to the world,
though it will pass only what mail it is configured to pass.

That said, I use sshblack (checking SSH access) on several of the
hosts that I manage, though I have it make an entry in /etc/hosts.deny
rather than IPTABLES.  I have it set to stop the blighters after six
failed tries.  The attempts show up in my logwatch reports, and then I
do a whois on the IP address (either website or command line) to find
out the email address for the abuse contact for that network.  Then I
send them a nastygram with log excerpts.

Because I never expect to need SSH access from a foreign network, I
block SSH access to all foreign networks.

> -- 
> FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
> opportunities available!

Cheers,
-- 
Bob McClure, Jr.             Bobcat Open Systems, Inc.
bob at bobcatos.com             http://www.bobcatos.com
"Where you go in the hereafter depends on what you were after here."
  - Thanks to Graffiti, 2 March 2004

More information about the Redhat-install-list mailing list