NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-08

Re: A different kind of attack/probe, how can postfix defend against it?

From: Justin Piszcz (jpiszczlucidpixels.com)
Date: Thu Aug 09 2007 - 12:16:12 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 9 Aug 2007, Robert Schetterer wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Justin Piszcz schrieb:
>> Recently, I saw this in my logs:
>>
>> With iptables I guess I could specify something to block port 25 if it
>> gets hit too many times from _ANY_ ip but that would block legitimate
>> mail; however, it seems as if it the only or best option?
>>
>> Aug 9 12:47:19 l2 postfix/smtpd[12676]: connect from
>> mx181.populationarea.com[69.31.50.181]
>> Aug 9 12:47:24 l2 postfix/smtpd[12676]: disconnect from
>> mx181.populationarea.com[69.31.50.181]
>> Aug 9 12:47:26 l2 postfix/smtpd[12676]: connect from
>> mx190.webcastersradio.com[69.31.50.190]
>> Aug 9 12:47:30 l2 postfix/smtpd[12676]: disconnect from
>> mx190.webcastersradio.com[69.31.50.190]
>> Aug 9 12:47:31 l2 postfix/smtpd[12676]: connect from
>> mx184.shippingkick.com[69.31.50.184]
>> Aug 9 12:47:35 l2 postfix/smtpd[12676]: disconnect from
>> mx184.shippingkick.com[69.31.50.184]
>> Aug 9 12:47:36 l2 postfix/smtpd[12676]: connect from
>> mx184.shippingkick.com[69.31.50.184]
>> Aug 9 12:47:41 l2 postfix/smtpd[12676]: disconnect from
>> mx184.shippingkick.com[69.31.50.184]
>> Aug 9 12:47:43 l2 postfix/smtpd[12676]: connect from
>> mx184.shippingkick.com[69.31.50.184]
>> Aug 9 12:47:47 l2 postfix/smtpd[12676]: disconnect from
>> mx184.shippingkick.com[69.31.50.184]
>> Aug 9 12:47:49 l2 postfix/smtpd[12676]: connect from
>> mx186.shippingkick.com[69.31.50.186]
>> Aug 9 12:47:53 l2 postfix/smtpd[12676]: disconnect from
>> mx186.shippingkick.com[69.31.50.186]
>> Aug 9 12:47:54 l2 postfix/smtpd[12676]: connect from
>> mx186.shippingkick.com[69.31.50.186]
>> Aug 9 12:47:59 l2 postfix/smtpd[12676]: disconnect from
>> mx186.shippingkick.com[69.31.50.186]
>> Aug 9 12:48:01 l2 postfix/smtpd[12676]: connect from
>> mx186.shippingkick.com[69.31.50.186]
>> Aug 9 12:48:05 l2 postfix/smtpd[12676]: disconnect from
>> mx186.shippingkick.com[69.31.50.186]
>> Aug 9 12:48:07 l2 postfix/smtpd[12676]: connect from
>> mx166.censusarea.com[69.31.50.166]
>> Aug 9 12:48:11 l2 postfix/smtpd[12676]: disconnect from
>> mx166.censusarea.com[69.31.50.166]
>> Aug 9 12:48:12 l2 postfix/smtpd[12676]: connect from
>> mx166.censusarea.com[69.31.50.166]
>> Aug 9 12:48:22 l2 postfix/smtpd[12676]: disconnect from
>> mx166.censusarea.com[69.31.50.166]
>> Aug 9 12:48:23 l2 postfix/smtpd[12676]: connect from
>> mx173.officecent.com[69.31.50.173]
>> Aug 9 12:48:27 l2 postfix/smtpd[12676]: disconnect from
>> mx173.officecent.com[69.31.50.173]
>> Aug 9 12:48:28 l2 postfix/smtpd[12676]: connect from
>> mx172.officecent.com[69.31.50.172]
>> Aug 9 12:48:33 l2 postfix/smtpd[12676]: disconnect from
>> mx172.officecent.com[69.31.50.172]
>> Aug 9 12:48:35 l2 postfix/smtpd[12676]: connect from
>> mx168.offcentral.com[69.31.50.168]
>> Aug 9 12:48:39 l2 postfix/smtpd[12676]: disconnect from
>> mx168.offcentral.com[69.31.50.168]
>> Aug 9 12:48:41 l2 postfix/smtpd[12676]: connect from
>> mx163.censusarea.com[69.31.50.163]
>> Aug 9 12:48:45 l2 postfix/smtpd[12676]: disconnect from
>> mx163.censusarea.com[69.31.50.163]
>> Aug 9 12:48:46 l2 postfix/smtpd[12676]: connect from
>> mx163.censusarea.com[69.31.50.163]
>> Aug 9 12:48:51 l2 postfix/smtpd[12676]: disconnect from
>> mx163.censusarea.com[69.31.50.163]
>> Aug 9 12:48:52 l2 postfix/smtpd[12676]: connect from
>> mx179.populationarea.com[69.31.50.179]
>> Aug 9 12:48:56 l2 postfix/smtpd[12676]: disconnect from
>> mx179.populationarea.com[69.31.50.179]
>> Aug 9 12:48:58 l2 postfix/smtpd[12676]: connect from
>> mx183.shippingkick.com[69.31.50.183]
>> Aug 9 12:49:02 l2 postfix/smtpd[12676]: disconnect from
>> mx183.shippingkick.com[69.31.50.183]
>> Aug 9 12:49:03 l2 postfix/smtpd[12676]: connect from
>> mx188.webcastersradio.com[69.31.50.188]
>> Aug 9 12:49:08 l2 postfix/smtpd[12676]: disconnect from
>> mx188.webcastersradio.com[69.31.50.188]
>> Aug 9 12:49:10 l2 postfix/smtpd[12676]: connect from
>> mx178.populationarea.com[69.31.50.178]
>> Aug 9 12:49:14 l2 postfix/smtpd[12676]: disconnect from
>> mx178.populationarea.com[69.31.50.178]
>>
> i installed fail2ban yesterday , this may help, but if you know the ips
> i would simple drop them static with iptables, or perhaps their whole net
>
> - --
> Mit freundlichen Gruessen
> Best Regards
>
> Robert Schetterer
>
> Germany/Bavaria/Munich
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
>
> iD8DBQFGu0pofGH2AvR16oERAmbyAJ9uTuOBMY+z0AaoFeNpGsMkas4XEACfT534
> gvA8oaOkj0htlixXMU01du8=
> =g5IF
> -----END PGP SIGNATURE-----
>

I agree, fail2ban rocks and I use it all the time but this attack was from
many different IPs and not just a few (there were more)..

Justin.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]