Tony, Does this append the existing iptable with the offending IP?
I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: > Try this at the command line and as root! > > iptables -I INPUT -s 11.22.33.44 -j DROP > > This will stop him dead in his tracks. > You can use this command for any ip address that gives > you a problem. > > > On 02/03/2011 11:25 AM, Sergio M wrote: >> Hi there list, >> i have been under heavy traffic since sunday, and its been using all >> my inbound connections. >> I have a QMT updated box, running the latest spamdyke: >> # qtp-whatami >> /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 >> DISTRO=CentOS >> OSVER=5.5 >> QTARCH=x86_64 >> QTKERN=2.6.18-194.32.1.el5 >> BUILD_DIST=cnt5064 >> BUILD_DIR=/usr/src/redhat >> This machine's OS is supported and has been tested/ >> >> >> Even though spamdyke does not let the spammers relay the mail, i >> still get all the connections used, making it very hard for >> authenticated users to send mail. >> For now I stopped smtpd, but i wanna see if you guys have some other >> thoughts to solve this. >> >> If I see the maillog, i see LOTS of entries like these: >> /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: >> 201.0.152.106 rbl: >> zen.spamhaus.org >> Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail >> (pass: 'luckymi') >> lucianos...@domain.com:190.158.93.231 Feb 27 >> 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 >> rbl: >> zen.spamhaus.org >> Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: >> 187.106.1.158 file: >> /var/qmail/control/ip-blacklist(75) Feb >> 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: >> 'jdorm253') >> jorgerodrig...@domain.com:201.250.40.202 Feb 27 >> 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 >> rbl: >> zen.spamhaus.org >> Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail >> (pass: 'edos1kd9') >> eduardos...@domain.com:201.82.74.70 Feb 27 >> 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 >> rdns: >> 189106088244.user.veloxzone.com.br >> Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail >> (pass: 'luckymi') >> lucianos...@domain.com:201.43.79.201 Feb 27 >> 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: >> 'luckymi') >> lucianos...@domain.com:189.106.88.244 Feb 27 >> 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 >> rdns: >> rev.97.83-telecablecr.com Feb >> 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: >> 'jdorm253') >> jorgerodrig...@domain.com:187.106.1.158 Feb 27 >> 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: >> 'luckymi') >> lucianos...@domain.com:201.0.152.106 Feb 27 >> 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: >> zen.spamhaus.org >> Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail >> (pass: 'luckymi') >> lucianos...@domain.com:200.45.73.226 Feb 27 >> 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 >> rbl: zen.spamhaus.org >> Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: >> 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) >> Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail >> (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 >> Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail >> (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 >> Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail >> (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ >> >> So i guess some botnet is trying to relay mail guessing a specific >> domain user's passwords. Most of the attempts are blocked by RBL >> checking, but that still create a connection. >> >> Looking at # cat /var/log/qmail/smtp/current | tai64nlocal >> /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 >> 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 >> mail.myhost.com.ar:11.22.33.44:25 >> :189.6.164.77::37629 >> 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 >> 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 >> 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 >> 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 >> 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 >> mail.myhost.com.ar:11.22.33.44:25 >> :190.172.129.24::14782 >> 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 >> 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 >> 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 >> 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 >> 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 >> mail.myhost.com.ar:11.22.33.44:25 >> :189.78.49.139::36877 >> 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 >> 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25 >> 2011-03-01 20:54:06.075165500 tcpserver: status: 25/25 >> 2011-03-01 20:54:06.075166500 tcpserver: pid 4908 from 186.114.65.254 >> 2011-03-01 20:54:06.075168500 tcpserver: ok 4908 >> mail.myhost.com.ar:11.22.33.44:25 >> :186.114.65.254::13026 >> 2011-03-01 20:54:06.441699500 tcpserver: end 4821 status 0 >> 2011-03-01 20:54:06.441702500 tcpserver: status: 24/25 >> 2011-03-01 20:54:06.441735500 tcpserver: status: >> 25/25 / >> You see how it got clogged with incoming connections. >> >> so, any ideas or tips to help me solve this? >> As for now smtpd is stopped. >> >> thanks a lot! >> -Sergio >> >> --------------------------------------------------------------------------------- >> >> Qmailtoaster is sponsored by Vickers Consulting Group >> (www.vickersconsulting.com) >> Vickers Consulting Group offers Qmailtoaster support and >> installations. >> If you need professional help with your setup, contact them today! >> --------------------------------------------------------------------------------- >> >> Please visit qmailtoaster.com for the latest news, updates, and >> packages. >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> >> >> >> > -- Cecil Yother, Jr. "cj" cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 | http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
