<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="OPENWEBMAIL" name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<font size="2"><font size="3">That IP comes back to Sweden. If you (or your sites) don't give a damn about traffic from that country, try this as root at the command line:
<br />
<br />/sbin/iptables -I acctin 1 -s 213.80.73.0/24 -j DROP
<br />
<br />That will block everything from any IP address on that /24 network. Now, even if more than one machine is in use doing the hacking - you've just blocked them. That rule will be #1 in your firewall rules until the next time you reboot. Typically - that is more than enough time for them to get tired of trying you and move on to another victim.
<br />
<br />And if you want to see how many times they try to get in (whether your are reporting it or just curious), AFTER running that command - run this one:
<br />
<br />/sbin/iptables -I acctin 1 -s 213.80.73.0/24 -j LOG --log-prefix "Connect attempt from 213.80.73 network in Sweden "
<br />
<br />That will now go in as first rule, and will log every connection attempt from that network. Then the previous rule (which is now second) drops the connection attempt. Afterward, just use "grep Sweden /var/log/messages | wc -l" to see how many connection attempts were made.
<br />
<br />
<br />
<br />Chuck
<br />
<br />
<br /></font>
<br /><b>---------- Original Message
-----------</b>
<br />
From: Gerald Waugh <gwaugh@raqware.com>
<br />
To: BlueOnyx General Mailing List <blueonyx@blueonyx.it>
<br />
Sent: Thu, 06 May 2010 11:50:51 -0500
<br />
Subject: [BlueOnyx:04408] Re: can't stop this attack
<br />
<br />>
On Thu, 2010-05-06 at 11:47 -0500, Gerald Waugh wrote:
<br />>
> I put the IP in hosts.deny
<br />>
> I put the IP in iptables
<br />>
> Still keeps coming, uses different ip's on server and different users'
<br />>
> I even stopped xinetd, but still keep coming
<br />>
>
<br />>
> netstat looks like this
<br />>
> tcp 0 0 70.246.22.17:110
213.80.73.45:55643
<br />>
> ESTABLISHED 9901/pop3-login
<br />>
> tcp 1 0 70.246.22.25:110
213.80.73.45:58238
<br />>
> CLOSE_WAIT 9596/pop3-login
<br />>
> tcp 0 0 70.246.22.37:110
213.80.73.45:55584
<br />>
> ESTABLISHED 9917/pop3-login
<br />>
> tcp 0 0 70.246.22.29:110
213.80.73.45:55579
<br />>
> ESTABLISHED 9904/pop3-login
<br />>
> tcp 1 0 70.246.22.17:110
213.80.73.45:39467
<br />>
> CLOSE_WAIT 9752/pop3-login
<br />>
> tcp 1 0 70.246.22.37:110
213.80.73.45:47883
<br />>
> CLOSE_WAIT 9508/pop3-login
<br />>
>
<br />>
> maillog looks like this
<br />>
>
<br />>
> May 6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
<br />>
> attempts): user=<Krystal>, method=PLAIN, rip=213.80.73.45,
<br />>
> lip=70.246.22.22
<br />>
> May 6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
<br />>
> attempts): user=<Patches>, method=PLAIN, rip=213.80.73.45,
<br />>
> lip=70.246.22.28
<br />>
> May 6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
<br />>
> attempts): user=<Maveric>, method=PLAIN, rip=213.80.73.45,
<br />>
> lip=70.246.22.42
<br />>
> May 6 11:43:45 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
<br />>
> attempts): user=<Merlin>, method=PLAIN, rip=213.80.73.45,
<br />>
> lip=70.246.22.21
<br />>
>
<br />>
> ideas?
<br />>
<br />>
_______________________________________________
<br />>
Blueonyx mailing list
<br />>
Blueonyx@blueonyx.it
<br />>
<a target="_blank" href="http://www.blueonyx.it/mailman/listinfo/blueonyx">http://www.blueonyx.it/mailman/listinfo/blueonyx</a>
<br /><b>------- End of Original Message
-------</b>
<br />
</font>
</BODY>
</HTML>