[BlueOnyx:07949] Re: Possible Attack
Chuck Tetlow
chuck at tetlow.net
Mon Aug 1 19:59:00 -05 2011
For a temporary block (usually enough to discourage hacking activity) - use the command
iptables -I acctin 1 -s sourceIP/mask -j DROP
Replace the "sourceIP" with the originating IP address, or network. And replace the "mask" with the netmask cooresponding to the number of IPs you want to block. Most of the time, I won't block less than a /24 network. Since a lot of the hacking activity I see comes from a IP that reverses to a valid company name - one exploited server being used for hacking indicates the company is lax and has probably had more than one exploited.
But remember - this firewall rule is temporary. The next time the server is rebooted, a virtual site added, a virtual site deleted, or the firewall reset - rules you've put in at the command-line like this are gone. As I said, this is good for temporary blocks. And those blocks are usually sufficient to deter hacking activities.
Chuck
---------- Original Message -----------
From: Chris <cwallace at wcnet.org>
To: blueonyx at blueonyx.it
Sent: Tue, 2 Aug 2011 00:35:49 +0000 (UTC)
Subject: [BlueOnyx:07948] Possible Attack
> Logwatch 7.3 Automount Begin Unmatched Entries
> >> /etc/auto.net: line 40: --no-headers: command not found: 1 Time(s)
> key ".ftpaccess" not found in map source(s).: 1 Time(s)
> Automount End Dovecot Begin Unmatched Entries
> dovecot: imap-login: Aborted login (no auth attempts): rip=127.0.0.1,
> lip=127.0.0.1, secured: 96 Time(s)
> dovecot: imap-login: Disconnected (auth failed, 1 attempts):
> user=<Administrator>, method=PLAIN, rip=64.221.129.242, lip=192.168.1.10: 43
> Time(s)
> user=<zackary>, method=PLAIN, rip=64.221.129.242, lip=192.168.1.10: 33 Time(s)
> dovecot: pop3-login: Aborted login (no auth attempts): rip=127.0.0.1,
> lip=127.0.0.1, secured: 96 Time(s)
> dovecot: pop3-login: Aborted login (no auth attempts): rip=64.221.129.242,
> lip=192.168.1.10: 1083 Time(s)
> dovecot: pop3-login: Disconnected (auth failed, 1 attempts):
> user=<trojan>, method=PLAIN, rip=64.221.129.242, lip=192.168.1.10: 1 Time(s)
> dovecot: pop3-login: Disconnected (auth failed, 1 attempts):
> Dovecot End pam_unix Begin
> dovecot:
> Authentication Failures:
> help rhost=64.221.129.242 : 1 Time(s)
> support rhost=64.221.129.242 : 1 Time(s)
> Unknown Entries:
> check pass; user unknown: 2 Time(s)
> proftpd:
> Unknown Entries:
> session closed for user admin: 1 Time(s)
> session opened for user admin by (uid=0): 1 Time(s)
> pam_unix End
> proftpd-messages Begin
> Unmatched Entries
> 97 Ignored Lines
> proftpd-messages End
> Connections (secure-log) Begin
> Refused Connections:
> Service dovecot:
> 64.221.129.242: 23272 Time(s)
> Connections (secure-log) End
> sendmail Begin
> SMTP SESSION, MESSAGE, OR RECIPIENT ERRORS
> WARNING!!!! Possible Attack:
> Attempt from [78.100.55.218] with:
> command=AUTH, count=6: 648 Time(s)
> Total: 648 Time(s)
> Unmatched Entries
> STARTTLS=server, relay=pershing.verizonwireless.com [162.115.228.36],
> field=cn_issuer, status=failed to extract CN: 1 Time(s)
> sendmail End
>
> I have been getting a few of these a day but latly been getting a lot.
> Was wondering if there is a way to perm block an ip address or range.
> Also noticed that my mail hasnt been showing the blocked mail from a rbl now.
> The log shows possible break in so not sure if it is or not or how to find out.
> Thanks in advance for any help.
> Here is a copy of my shortened logs that had over 23k login's in under 1 day.
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
------- End of Original Message -------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20110801/62e953af/attachment.html>
More information about the Blueonyx
mailing list