SMTP Attacks

Harold Hallikainen harold at hallikainen.com
Tue Oct 24 15:49:34 UTC 2006 

> On Tue, Oct 24, 2006 at 05:32:28AM -0700, Harold Hallikainen wrote:
>> In the past week, I've seen log entries like this pretty much every day.
>> This is on a Fedora 4 system. I'm running sshblack to get rid of the
>> thousands of ssh breaking attempts and have been using the included bl
>> command to add these ip addresses to the block list (which adds them to
>> iptables with instructions to drop the packets). Is that worthwile?
>> Should
>> I do anything else? Again, these have only started showing up this week.
>>
>> Thanks!
>>
>> Harold
>>
>> WARNING!!!!  Possible Attack:
>>     Attempt from 235.30.broadband2.iol.cz [83.208.30.235] with:
>>        command=HELO/EHLO, count=3: 1 Time(s)
>>     Attempt from 46.173.broadband6.iol.cz [88.101.173.46] with:
>>        command=HELO/EHLO, count=3: 1 Time(s)
>>     Attempt from [12.166.98.246] with:
>>        command=HELO/EHLO, count=3: 1 Time(s)
>>     Attempt from dslb-082-083-067-104.pools.arcor-ip.net [82.83.67.104]
>> with:
>>        command=HELO/EHLO, count=3: 1 Time(s)
>>     Attempt from laly-s.bb.netvision.net.il [212.143.166.250] with:
>>        command=HELO/EHLO, count=3: 1 Time(s)
>>     Attempt from p54BB98E4.dip0.t-ipconnect.de [84.187.152.228] with:
>>        command=HELO/EHLO, count=3: 1 Time(s)
>>          Total:  6 Time(s)
>>
>>  **Unmatched Entries**
>>     87-126-13-210.btc-net.bg [87.126.13.210] (may be forged): possible
>> SMTP attack:
>> command=HELO/EHLO, count=3: 1 Time(s)
>
> I'm unclear on this.  What does SMTP have to do with SSH?  Normally
> your SMTP server (sendmail, postfix, etc.) is open to the world,
> though it will pass only what mail it is configured to pass.
>
> That said, I use sshblack (checking SSH access) on several of the
> hosts that I manage, though I have it make an entry in /etc/hosts.deny
> rather than IPTABLES.  I have it set to stop the blighters after six
> failed tries.  The attempts show up in my logwatch reports, and then I
> do a whois on the IP address (either website or command line) to find
> out the email address for the abuse contact for that network.  Then I
> send them a nastygram with log excerpts.
>
> Because I never expect to need SSH access from a foreign network, I
> block SSH access to all foreign networks.
>


Sorry if my note was confusing! sshblack is working very well for me
blocking ssh attacks. Down from thousands a day to something like 5 from
each new IP address that tries (a half dozen a day). I also have another
copy of sshblack watching my httpd access log for URLs that contain the
word "echo" or have Microsoft directory names in them (WINNT, etc.). These
also get added to the drop list in iptables.

sshblack includes a simple script called "bl". You use it something like
"bl 1.2.3.4" to add IP address 1.2.3.4 to the list of addresses dropped by
IP tables. I have been manually adding the IP addresses listed in the
suspected SMTP attacks reported in the logs.

So, from the log reports above, what's going on? I'm running sendmail on
an FC4 system. Anything I need to worry about?

THANKS!!!!

Harold

-- 
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!

More information about the Redhat-install-list mailing list