[BlueOnyx:04417] Re: can't stop this attack

Chuck Tetlow chuck at tetlow.net
Thu May 6 16:21:22 -05 2010 

That IP comes back to Sweden.  If you (or your sites) don't give a damn about traffic from that country, try this as root at the command line:

/sbin/iptables -I acctin 1 -s 213.80.73.0/24 -j DROP

That will block everything from any IP address on that /24 network.  Now, even if more than one machine is in use doing the hacking - you've just blocked them.  That rule will be #1 in your firewall rules until the next time you reboot.  Typically - that is more than enough time for them to get tired of trying you and move on to another victim.

And if you want to see how many times they try to get in (whether your are reporting it or just curious), AFTER running that command - run this one:

/sbin/iptables -I acctin 1 -s 213.80.73.0/24 -j LOG --log-prefix "Connect attempt from 213.80.73 network in Sweden "

That will now go in as first rule, and will log every connection attempt from that network.  Then the previous rule (which is now second) drops the connection attempt.  Afterward, just use "grep Sweden /var/log/messages | wc -l" to see how many connection attempts were made.

Chuck

---------- Original Message -----------
From: Gerald Waugh <gwaugh at raqware.com> 
To: BlueOnyx General Mailing List <blueonyx at blueonyx.it> 
Sent: Thu, 06 May 2010 11:50:51 -0500 
Subject: [BlueOnyx:04408] Re: can't stop this attack

> On Thu, 2010-05-06 at 11:47 -0500, Gerald Waugh wrote: 
> > I put the IP in hosts.deny 
> > I put the IP in iptables 
> > Still keeps coming, uses different ip's on server and different users' 
> > I even stopped xinetd, but still keep coming 
> > 
> > netstat looks like this 
> > tcp        0      0 70.246.22.17:110           213.80.73.45:55643 
> > ESTABLISHED 9901/pop3-login     
> > tcp        1      0 70.246.22.25:110           213.80.73.45:58238 
> > CLOSE_WAIT  9596/pop3-login     
> > tcp        0      0 70.246.22.37:110           213.80.73.45:55584 
> > ESTABLISHED 9917/pop3-login     
> > tcp        0      0 70.246.22.29:110           213.80.73.45:55579 
> > ESTABLISHED 9904/pop3-login     
> > tcp        1      0 70.246.22.17:110           213.80.73.45:39467 
> > CLOSE_WAIT  9752/pop3-login     
> > tcp        1      0 70.246.22.37:110           213.80.73.45:47883 
> > CLOSE_WAIT  9508/pop3-login     
> > 
> > maillog looks like this 
> > 
> > May  6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1 
> > attempts): user=<Krystal>, method=PLAIN, rip=213.80.73.45, 
> > lip=70.246.22.22 
> > May  6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1 
> > attempts): user=<Patches>, method=PLAIN, rip=213.80.73.45, 
> > lip=70.246.22.28 
> > May  6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1 
> > attempts): user=<Maveric>, method=PLAIN, rip=213.80.73.45, 
> > lip=70.246.22.42 
> > May  6 11:43:45 ns1 dovecot: pop3-login: Disconnected (auth failed, 1 
> > attempts): user=<Merlin>, method=PLAIN, rip=213.80.73.45, 
> > lip=70.246.22.21 
> > 
> > ideas? 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at blueonyx.it 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100506/cfd2790b/attachment.html>

More information about the Blueonyx mailing list