SMTP Attacks
Rick Stevens
rstevens at vitalstream.com
Tue Oct 24 16:47:21 UTC 2006
On Tue, 2006-10-24 at 08:49 -0700, Harold Hallikainen wrote:
> > On Tue, Oct 24, 2006 at 05:32:28AM -0700, Harold Hallikainen wrote:
> >> In the past week, I've seen log entries like this pretty much every day.
> >> This is on a Fedora 4 system. I'm running sshblack to get rid of the
> >> thousands of ssh breaking attempts and have been using the included bl
> >> command to add these ip addresses to the block list (which adds them to
> >> iptables with instructions to drop the packets). Is that worthwile?
> >> Should
> >> I do anything else? Again, these have only started showing up this week.
> >>
> >> Thanks!
> >>
> >> Harold
> >>
> >> WARNING!!!! Possible Attack:
> >> Attempt from 235.30.broadband2.iol.cz [83.208.30.235] with:
> >> command=HELO/EHLO, count=3: 1 Time(s)
> >> Attempt from 46.173.broadband6.iol.cz [88.101.173.46] with:
> >> command=HELO/EHLO, count=3: 1 Time(s)
> >> Attempt from [12.166.98.246] with:
> >> command=HELO/EHLO, count=3: 1 Time(s)
> >> Attempt from dslb-082-083-067-104.pools.arcor-ip.net [82.83.67.104]
> >> with:
> >> command=HELO/EHLO, count=3: 1 Time(s)
> >> Attempt from laly-s.bb.netvision.net.il [212.143.166.250] with:
> >> command=HELO/EHLO, count=3: 1 Time(s)
> >> Attempt from p54BB98E4.dip0.t-ipconnect.de [84.187.152.228] with:
> >> command=HELO/EHLO, count=3: 1 Time(s)
> >> Total: 6 Time(s)
> >>
> >> **Unmatched Entries**
> >> 87-126-13-210.btc-net.bg [87.126.13.210] (may be forged): possible
> >> SMTP attack:
> >> command=HELO/EHLO, count=3: 1 Time(s)
> >
> > I'm unclear on this. What does SMTP have to do with SSH? Normally
> > your SMTP server (sendmail, postfix, etc.) is open to the world,
> > though it will pass only what mail it is configured to pass.
> >
> > That said, I use sshblack (checking SSH access) on several of the
> > hosts that I manage, though I have it make an entry in /etc/hosts.deny
> > rather than IPTABLES. I have it set to stop the blighters after six
> > failed tries. The attempts show up in my logwatch reports, and then I
> > do a whois on the IP address (either website or command line) to find
> > out the email address for the abuse contact for that network. Then I
> > send them a nastygram with log excerpts.
> >
> > Because I never expect to need SSH access from a foreign network, I
> > block SSH access to all foreign networks.
> >
>
>
> Sorry if my note was confusing! sshblack is working very well for me
> blocking ssh attacks. Down from thousands a day to something like 5 from
> each new IP address that tries (a half dozen a day). I also have another
> copy of sshblack watching my httpd access log for URLs that contain the
> word "echo" or have Microsoft directory names in them (WINNT, etc.). These
> also get added to the drop list in iptables.
>
> sshblack includes a simple script called "bl". You use it something like
> "bl 1.2.3.4" to add IP address 1.2.3.4 to the list of addresses dropped by
> IP tables. I have been manually adding the IP addresses listed in the
> suspected SMTP attacks reported in the logs.
>
> So, from the log reports above, what's going on? I'm running sendmail on
> an FC4 system. Anything I need to worry about?
This is not untypical behavior for mail servers. What you're seeing are
machines trolling around for open relay mail servers. The fact that
they're coming from eastern Europe and are using broadband connections
is pretty conclusive. For that reason, I have huge parts of eastern
Europe, Brazil, Korea, Japan and China blocked (I have at least 12 /8
networks blocked).
Welcome to the Internet. :-(
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Microsoft Windows: Proof that P.T. Barnum was right -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list