LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-27-2011, 01:12 PM   #1
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Rep: Reputation: 0
Stop SMTP hammering via route command?


I often see hundreds of entries like this in my logwatch report:
Code:
   dovecot[2011]: pop3-login: Disconnected (auth failed, 1 attempts): user=<perl>, method=PLAIN, rip=80.232.176.202, lip=75.127.110.25: 1 Time(s)
   dovecot[2011]: pop3-login: Disconnected (auth failed, 1 attempts): user=<pernilla>, method=PLAIN, rip=80.232.176.202, lip=75.127.110.25: 1 Time(s)
   dovecot[2011]: pop3-login: Disconnected (auth failed, 1 attempts): user=<pete>, method=PLAIN, rip=80.232.176.202, lip=75.127.110.25: 1 Time(s)
   dovecot[2011]: pop3-login: Disconnected (auth failed, 1 attempts): user=<peter>, method=PLAIN, rip=80.232.176.202, lip=75.127.110.25: 1 Time(s)
   dovecot[2011]: pop3-login: Disconnected (auth failed, 1 attempts): user=<petitto>, method=PLAIN, rip=80.232.176.202, lip=75.127.110.25: 1 Time(s)
   dovecot[2011]: pop3-login: Disconnected (auth failed, 1 attempts): user=<pgsql>, method=PLAIN, rip=80.232.176.202, lip=75.127.110.25: 2 Time(s)
   dovecot[2011]: pop3-login: Disconnected (auth failed, 1 attempts): user=<phone>, method=PLAIN, rip=80.232.176.202, lip=75.127.110.25: 1 Time(s)
   dovecot[2011]: pop3-login: Disconnected (auth failed, 1 attempts): user=<phpinfo>, method=PLAIN, rip=80.232.176.202, lip=75.127.110.25: 1 Time(s)
That rip=80.232.176.202 is a known offender, see http://www.bizimbal.com/odb/details.html?id=900596
I have seen a suggestion to use the route command to block the offending IP:
route add -host 80.232.176.202 reject
However reading the man page about 'route', it says reject is not to be used for firewalling.

I am wondering if this would be correct?
route add -host 80.232.176.202 null

Alternatively, if I put this in iptables INPUT:
DROP all -- 80.232.176.202 anywhere
will it keep that marauder away from Dovecot?

Last edited by cnmoore; 03-27-2011 at 01:27 PM. Reason: Added iptables question
 
Old 03-27-2011, 03:15 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
I'm a bit concerned you think this anything to do with smtp, but just drop the packets in iptables, don't mess with your routing table, that's what firewalls are for.
 
Old 03-27-2011, 03:24 PM   #3
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Rep: Reputation: 69
It's a pop3-login. Setup fail2ban to track and ban any IP that has a certain amount of failed attempts.
 
Old 03-27-2011, 04:31 PM   #4
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by trist007 View Post
It's a pop3-login. Setup fail2ban to track and ban any IP that has a certain amount of failed attempts.
I don't use fail2ban, but I'm pretty much at home with iptables.

I have a throttle for ssh:
Code:
Chain INPUT
AUTOBAN  tcp  --  anywhere    anywhere  tcp dpt:ssh state NEW
...
Chain AUTOBAN (1 references)
target prot opt source    destination
       all  --  anywhere  anywhere  recent: SET name: SSH side: source
DROP   all  --  anywhere  anywhere  recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source
I would love to have a similar thing for email but I don't know how to specify it - replace 'SSH' with what?

I don't think I want to throttle all types of tcp, just SSH and email login. The forum has search bots visiting and users can have many browser tabs open so I don't want to throttle http.

Incidentally I did think email used SMTP Simple Mail Transfer Protocol - but I guess that's not what it is internally. A bit at sea with email.
 
Old 03-27-2011, 04:51 PM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
You basically need to understand port numbers more. ssh = 22, pop3 = 110 and fwiw, smtp = 25, it's nothing sophisticated, just different numbers. So here, 22 becomes 110.

whilst it may seem more friendly, I'd advise against doing port resolution in iptables. if you do "iptables -Lnv" you'll get a much better output of your rulebase with "ssh" replaced with "22"

Last edited by acid_kewpie; 03-27-2011 at 04:54 PM.
 
Old 03-27-2011, 05:14 PM   #6
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
You basically need to understand port numbers more. ssh = 22, pop3 = 110 and fwiw, smtp = 25, it's nothing sophisticated, just different numbers. So here, 22 becomes 110.

whilst it may seem more friendly, I'd advise against doing port resolution in iptables. if you do "iptables -Lnv" you'll get a much better output of your rulebase with "ssh" replaced with "22"
So I should do:
Code:
-A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j DROPMAIL
and
Code:
-A DROPMAIL -m recent --set --name EMAIL --rsource
-A DROPMAIL -m recent --update --seconds 60 --hitcount 4 --name EMAIL --rsource -j DROP
Does that look right?

Last edited by cnmoore; 03-27-2011 at 05:15 PM.
 
Old 03-27-2011, 09:12 PM   #7
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
I added that to iptables and I think it is working - nothing broke, anyway. I still get mail from forum. I don't know yet whether it will stop the hammering on POP3.
 
Old 03-28-2011, 03:31 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
yeah, rate limiting pop3 can not stop you receiving mail from anyone, that's not what pop3 is for, it's for downloading the mail that you have already received.
 
Old 03-28-2011, 01:20 PM   #9
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
I have assumed that when there are hundreds of "pop3-login: Disconnected (auth failed, .."
the marauder is trying all different user names/passwords and that if they succeed in breaking into an account they can then use it to send out spam.

We are actually very safe as there are only two email accounts on the server and both have 17 character randomly generated passwords. But the trash clutters my logwatch and of course uses resources.

Can't really tell yet if the iptables thingy is working as pop-3 login hammering doesn't happen every day. There is something new in the logwatch report, though. Masses of these:

Code:
--------------------- Dovecot Begin ------------------------

 Dovecot disconnects:
   Logged out bytes=102/1952: 1 Time(s)
   Logged out bytes=114/1395: 3 Time(s)
   Logged out bytes=117/1401: 2 Time(s)
   Logged out bytes=132/1395: 2 Time(s)
   Logged out bytes=132/1398: 1 Time(s)
   Logged out bytes=135/1401: 4 Time(s) ...
I have no idea what those are or how to interpret them.

Last edited by cnmoore; 03-28-2011 at 02:57 PM. Reason: removed stuff I figured out
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
smtp route mario.almeida Linux - Server 3 06-11-2010 08:53 AM
How to stop outside hosts from using my smtp server cyborgprime Linux - Security 2 11-29-2009 07:34 AM
How To Stop All SMTP Traffic to a Domain? carlosinfl Linux - Server 3 04-23-2008 09:25 PM
Default route took 20s to display with 'route' command Akhran Linux - Newbie 3 11-04-2006 05:59 AM
I am not able to add a new route to my route table using route command prashanth s j Linux - Networking 2 09-03-2005 05:34 AM


All times are GMT -5. The time now is 02:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration