SMTP Attacks

Oliver B. hemzet at gmx.net
Tue Oct 24 17:10:11 UTC 2006 

Hello Rick,

could you please post these networks :)!?

Thank you
Cheers
Oliver


>> >> In the past week, I've seen log entries like this pretty much every
>> day.
>> >> This is on a Fedora 4 system. I'm running sshblack to get rid of the
>> >> thousands of ssh breaking attempts and have been using the included
>> bl
>> >> command to add these ip addresses to the block list (which adds them
>> to
>> >> iptables with instructions to drop the packets). Is that worthwile?
>> >> Should
>> >> I do anything else? Again, these have only started showing up this
>> week.
>> >>
>> >> Thanks!
>> >>
>> >> Harold
>> >>
>> >> WARNING!!!!  Possible Attack:
>> >>     Attempt from 235.30.broadband2.iol.cz [83.208.30.235] with:
>> >>        command=HELO/EHLO, count=3: 1 Time(s)
>> >>     Attempt from 46.173.broadband6.iol.cz [88.101.173.46] with:
>> >>        command=HELO/EHLO, count=3: 1 Time(s)
>> >>     Attempt from [12.166.98.246] with:
>> >>        command=HELO/EHLO, count=3: 1 Time(s)
>> >>     Attempt from dslb-082-083-067-104.pools.arcor-ip.net
>> [82.83.67.104]
>> >> with:
>> >>        command=HELO/EHLO, count=3: 1 Time(s)
>> >>     Attempt from laly-s.bb.netvision.net.il [212.143.166.250] with:
>> >>        command=HELO/EHLO, count=3: 1 Time(s)
>> >>     Attempt from p54BB98E4.dip0.t-ipconnect.de [84.187.152.228] with:
>> >>        command=HELO/EHLO, count=3: 1 Time(s)
>> >>          Total:  6 Time(s)
>> >>
>> >>  **Unmatched Entries**
>> >>     87-126-13-210.btc-net.bg [87.126.13.210] (may be forged):
>> possible
>> >> SMTP attack:
>> >> command=HELO/EHLO, count=3: 1 Time(s)
>> >
>> > I'm unclear on this.  What does SMTP have to do with SSH?  Normally
>> > your SMTP server (sendmail, postfix, etc.) is open to the world,
>> > though it will pass only what mail it is configured to pass.
>> >
>> > That said, I use sshblack (checking SSH access) on several of the
>> > hosts that I manage, though I have it make an entry in /etc/hosts.deny
>> > rather than IPTABLES.  I have it set to stop the blighters after six
>> > failed tries.  The attempts show up in my logwatch reports, and then I
>> > do a whois on the IP address (either website or command line) to find
>> > out the email address for the abuse contact for that network.  Then I
>> > send them a nastygram with log excerpts.
>> >
>> > Because I never expect to need SSH access from a foreign network, I
>> > block SSH access to all foreign networks.
>> >
>>
>>
>> Sorry if my note was confusing! sshblack is working very well for me
>> blocking ssh attacks. Down from thousands a day to something like 5 from
>> each new IP address that tries (a half dozen a day). I also have another
>> copy of sshblack watching my httpd access log for URLs that contain the
>> word "echo" or have Microsoft directory names in them (WINNT, etc.).
>> These
>> also get added to the drop list in iptables.
>>
>> sshblack includes a simple script called "bl". You use it something like
>> "bl 1.2.3.4" to add IP address 1.2.3.4 to the list of addresses dropped
>> by
>> IP tables. I have been manually adding the IP addresses listed in the
>> suspected SMTP attacks reported in the logs.
>>
>> So, from the log reports above, what's going on? I'm running sendmail on
>> an FC4 system. Anything I need to worry about?
>
> This is not untypical behavior for mail servers.  What you're seeing are
> machines trolling around for open relay mail servers.  The fact that
> they're coming from eastern Europe and are using broadband connections
> is pretty conclusive.  For that reason, I have huge parts of eastern
> Europe, Brazil, Korea, Japan and China blocked (I have at least 12 /8
> networks blocked).
>
> Welcome to the Internet.  :-(
>
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
> - VitalStream, Inc.                       http://www.vitalstream.com -
> -                                                                    -
> -         Microsoft Windows:  Proof that P.T. Barnum was right       -
> ----------------------------------------------------------------------
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>
>

More information about the Redhat-install-list mailing list