[BlueOnyx:04410] Re: can't stop this attack

Larry Smith lesmith at ecsis.net
Thu May 6 12:27:29 -05 2010 

On Thu May 6 2010 11:58, Gerald Waugh wrote:
> sending again as i did nto see a post
>
> On Thu, 2010-05-06 at 11:50 -0500, Gerald Waugh wrote:
> > On Thu, 2010-05-06 at 11:47 -0500, Gerald Waugh wrote:
> > > I put the IP in hosts.deny
> > > I put the IP in iptables
> > > Still keeps coming, uses different ip's on server and different users'
> > > I even stopped xinetd, but still keep coming
> > >
> > > netstat looks like this
> > > tcp        0      0 70.246.22.17:110            213.80.73.45:55643
> > > ESTABLISHED 9901/pop3-login
> > > tcp        1      0 70.246.22.25:110            213.80.73.45:58238
> > > CLOSE_WAIT  9596/pop3-login
> > > tcp        0      0 70.246.22.37:110            213.80.73.45:55584
> > > ESTABLISHED 9917/pop3-login
> > > tcp        0      0 70.246.22.29:110            213.80.73.45:55579
> > > ESTABLISHED 9904/pop3-login
> > > tcp        1      0 70.246.22.17:110            213.80.73.45:39467
> > > CLOSE_WAIT  9752/pop3-login
> > > tcp        1      0 70.246.22.37:110            213.80.73.45:47883
> > > CLOSE_WAIT  9508/pop3-login
> > >
> > > maillog looks like this
> > >
> > > May  6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> > > attempts): user=<Krystal>, method=PLAIN, rip=213.80.73.45,
> > > lip=70.246.22.22
> > > May  6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> > > attempts): user=<Patches>, method=PLAIN, rip=213.80.73.45,
> > > lip=70.246.22.28
> > > May  6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> > > attempts): user=<Maveric>, method=PLAIN, rip=213.80.73.45,
> > > lip=70.246.22.42
> > > May  6 11:43:45 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> > > attempts): user=<Merlin>, method=PLAIN, rip=213.80.73.45,
> > > lip=70.246.22.21
> > >
> > > ideas?
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx

Gerald,

  Try "/sbin/route add -host 213.80.73.45 reject" (no quotes)
which should drop all packets from this IP.

-- 
Larry Smith
lesmith at ecsis.net

More information about the Blueonyx mailing list