LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-01-2011, 09:14 PM   #1
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 138

Rep: Reputation: 15
POP3 DDOS Attack


Hi,

Currently my mail server is being targeted by POP DDOS attack. The POP packet request comes in very fast.
I have been blocking it using my iptables but my server slow to a crawl. Is there any solution to this problem.

37 1924 DROP tcp -- * * 74.63.213.126 0.0.0.0/0 tcp dpt:110

I have written to abuse@limestonenetworks.com and noc@limestonenetworks.com as they are the administrator of the IP above.

I have tried google and found that others are having the same problem. Some solutions required unplug the internet, change IP but all these are not feasible to me.

My system:
Slackware 12.2
Kernel 2.6.27.7-smp
popa3d-1.0.2-i486-2
iptables-1.4.2-i486-1

If you need any other info, do let me know.

Thanks for any help and suggestions.
 
Old 11-01-2011, 09:24 PM   #2
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-15.0 Multilib
Posts: 6,554
Blog Entries: 15

Rep: Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097
Can you block it from your Gateway/Router? Blocking it at the Gateway should restore some network stability. Your best bet would be to keep the packets off your network totally.
 
Old 11-01-2011, 09:33 PM   #3
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 138

Original Poster
Rep: Reputation: 15
Thanks ReaperX7,

This mail server is at the data centre which has a direct line to it, so no router or gateway.
If need to be block from gateway/router, I believe I may need to pay the data centre for firewall managed service.

Alternatively, I may have to put a firewall box (CISCO ASA5505?) in front of the mail server and NAT to it.
Do you think this will solve the problem?
Will my firewall be congested as well by the DDOS?

Any other got any solutions or suggestions?

Quote:
Originally Posted by ReaperX7 View Post
Can you block it from your Gateway/Router? Blocking it at the Gateway should restore some network stability. Your best bet would be to keep the packets off your network totally.
 
Old 11-01-2011, 09:52 PM   #4
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-15.0 Multilib
Posts: 6,554
Blog Entries: 15

Rep: Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097
The firewall would be a recommended addition. As far as whatever type you go with, Stateful Packet Inspect and Filtering models are what I would recommend regardless. However the CISCO ASA5510 might do a little bit better of a job, but that's just by cup of tea. Look into Barracuda Networks as well. They MIGHT be a bit more but they are one of the better solutions to get.
 
Old 11-01-2011, 09:57 PM   #5
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,367

Rep: Reputation: 843Reputation: 843Reputation: 843Reputation: 843Reputation: 843Reputation: 843Reputation: 843
You say DDOS but you're blocking a specific IP...is it just a DOS attack instead then? I would just drop all packets from that IP (forget checking for POP3) at the highest level you can (and from your description it sounds like that may be the server itself). If it's a DDOS then finding the right packets to block is very difficult since it comes from a range of IPs and possibly multiple countries and discriminating between legitimate and malicious traffic becomes difficult...but if it is just a DOS attack then you're going about it the right way (I would just suggest widening the iptables rule to include all ports from that IP in case they target other ports). If you can only filter at the lowest level (the server itself) then the same number of packets will get to your box and use up available bandwidth -- you just won't use up additional bandwidth by serving responses back to the IP. Generally for a regular DOS attack this is sufficient since the speed of the connection from a single client to a single server is not sufficient to cause a massive delay for other clients...but if this is different in your case then the best you can do is filter the IP and report it to the provider (which you have done).
 
Old 11-01-2011, 11:35 PM   #6
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 138

Original Poster
Rep: Reputation: 15
Hi T3Slider,

I have blocked ICMP request as well, hope to prevent other 'bots' to target my mail server.

So far only this specific IP which target POP service.
You are right, it's sensible to block all traffic from this IP, in case it target other ports.
The incoming POP request rate is estimated to be close to 100 requests per second.

I am planning to add in a CISCO5510 and NAT the traffic to the mail server.

Thanks for the suggestions, appreciate it.

If any kind souls there know of anny other solutions/suggestions, please do let me know thanks.

Quote:
Originally Posted by T3slider View Post
You say DDOS but you're blocking a specific IP...is it just a DOS attack instead then? I would just drop all packets from that IP (forget checking for POP3) at the highest level you can (and from your description it sounds like that may be the server itself). If it's a DDOS then finding the right packets to block is very difficult since it comes from a range of IPs and possibly multiple countries and discriminating between legitimate and malicious traffic becomes difficult...but if it is just a DOS attack then you're going about it the right way (I would just suggest widening the iptables rule to include all ports from that IP in case they target other ports). If you can only filter at the lowest level (the server itself) then the same number of packets will get to your box and use up available bandwidth -- you just won't use up additional bandwidth by serving responses back to the IP. Generally for a regular DOS attack this is sufficient since the speed of the connection from a single client to a single server is not sufficient to cause a massive delay for other clients...but if this is different in your case then the best you can do is filter the IP and report it to the provider (which you have done).
 
Old 11-02-2011, 12:32 AM   #7
hen770
Member
 
Registered: Oct 2010
Distribution: Arch
Posts: 136

Rep: Reputation: 7
First check that the server itself is slow becasu of the attack and not a a bandwidth problem, becase if it a bandwidth problem (from the DOS attack) it wouldn't help you to add the Cisco firewall.

It is quite unclear how one source could bring your server to it's knees, so i would do a thorough scan of the server in order to find more culprits.
 
Old 11-02-2011, 12:46 AM   #8
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 138

Original Poster
Rep: Reputation: 15
Hi hen770,

The server was up for a few years and only recently encounter this issue.
Recently my external users complaint POP timeout, but I thought it's their internet line congested.
After a few more external users having the same problem, I went to the server and check using 'iptraf'.
I only found this persistent and consistent POP attempt by a single IP.
The IP can be from different source, sometimes from Korea, China, Turkey, Middle East or USA

However, after the POP attempt subsided(could be few mins to half and hour), everything went back to normal.
Occasionally it will came back go through the POP attempt again.

I don't allow my users shell access, all setting done through web interface.
My lastlog reveals no users login access. My SSH access are only permitted from recognized/authorized IP.

Quote:
Originally Posted by hen770 View Post
First check that the server itself is slow becasu of the attack and not a a bandwidth problem, becase if it a bandwidth problem (from the DOS attack) it wouldn't help you to add the Cisco firewall.

It is quite unclear how one source could bring your server to it's knees, so i would do a thorough scan of the server in order to find more culprits.
 
Old 11-02-2011, 07:23 AM   #9
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-15.0 Multilib
Posts: 6,554
Blog Entries: 15

Rep: Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097Reputation: 2097
You could attempt a whois or tracert and see what you can find about the IP and maybe the user. Could be a random bounce around the web, but it could be a group with multiple IP addresses that can be traced through IP address lease and account ownership.
 
Old 11-02-2011, 07:42 AM   #10
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
You really should apply your filtering in layers, if it all possible. When you get your ASA or other hardware upstream of your server this will act as one layer. In the mean time, your focus should be on configuring your server to reject this malicious traffic. Of course, the required response requires that you have correctly identified the true nature of the problem. Assuming you have, the first line of defense would be to use iptables, as others have suggested. Consequently, let me start out by asking what does you current iptables firewall look like? There are a few of options to consider, ranging from blocking an IP to rate limiting the number of connection attempts allowed on a particular service. A second line of defense would be to use an application like fail2ban, which monitors the log files and will dynamically respond to these attempts to overload your system and block them for a period of time. A third layer would be to add white and black list filtering to you application.

As we like to deal with facts rather than assumptions, please provide as much detail as you can regarding the nature of the problem, such as log entries, data regarding the IP in question, what specific steps you have taken, a description of your system topology (routers, switches, etc, that are in the data stream), and so forth.
 
1 members found this post helpful.
Old 11-02-2011, 10:35 AM   #11
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled
Quote:
Originally Posted by ReaperX7 View Post
Look into Barracuda Networks as well. They MIGHT be a bit more but they are one of the better solutions to get.
I really *wouldn't* do that. AFAIR they provide no device to protect POP traffic on port 110 (their 'spam and virus firewall' being a port 25 device and not a firewall of any kind in any case) TBH, they tend to sell boxes that are simple Linux devices filled with FOSS software glued together with some tatty Perl scripts. The only 'Firewall' part of them is IPTables. Discount this as any kind of solution.

Dropping the traffic is about the best you can hope for (or putting in a null route) - and even putting a firewall in front of it probably won't make a massive difference.

I would not call this a DDoS attack in any case as you are citing a single IP address here. Have you checked the logs to make sure this is not actually a sustained brute force password attack?

Last edited by leslie_jones; 11-02-2011 at 10:37 AM.
 
1 members found this post helpful.
Old 11-03-2011, 01:50 AM   #12
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 138

Original Poster
Rep: Reputation: 15
Hi ReaperX7,

I did a whois on the IP and found the admin.
Email to them about it, no response from them but the attempts stopped.

Hi Noway2,

My email servers are co-lo at data centre.

Simplified structure
data centre internet access -> switch -> both my email servers

As of now, all traffic from the IP will be drop (b4 that I was just blocking 110 traffic).
T3Slider suggested to blocked all, true enough, soon I was seeing attempts from same IP to imap services.

My iptables are by default block all incoming and allow authorized ports only.

Is this something what you meant by limiting number of connections?
Code:
$IPTABLES -A POP_CHECK -m recent --update --seconds 60 --hitcount 10 --name POP -j DROP
$IPTABLES -A POP_CHECK -m recent --update --seconds 600 --hitcount 15 --name POP -j DROP
Currently I create a script to monitor abnormal unsuccessful attempts and block the IP dynamically.
I am not very good in bash, but the script works for me. (email modifed to prevent abuse)
I run this every 5 mins.
If within 5 mins I got 10 unsuccessful attempts from the same IP, it will get blocked.
Code:
#!/bin/sh
#
# Script to check the failed logging in /var/log/messages (POP) and send email notification 
# 
# Date       : 5 May 2011
# Modified   : 6 Aug 2011
#
#
FROMEMAIL='admin@mydomain'
ADMINEMAIL='admin@mydomain'
SERVER=$(cat /etc/HOSTNAME)
IPTABLES="/usr/sbin/iptables"
INTERNET="0/0"

PREVIOUSCOUNTER=`cat /usr/local/bin/failed-messages`
FAILCOUNTER=`grep failed /var/log/messages |wc -l`
echo $FAILCOUNTER >/usr/local/bin/failed-messages
echo Current Fail Counter : $FAILCOUNTER
echo Previous Fail Counter : $PREVIOUSCOUNTER
DIFF=$(($FAILCOUNTER - $PREVIOUSCOUNTER))
if (( "$DIFF" > 10 ))
then
        echo $DIFF
        tail --lines=70 /var/log/secure | awk '{print $8}' | sort |uniq -c >cpop-fail
        echo "[$(hostname)] ($DIFF) Abnormal POP Failures." >apop
        cat cpop-fail >>apop | mail -r $FROMEMAIL -s "[$(hostname)]: ($DIFF) Abnormal POP Failures" $ADMINEMAIL <apop

        $IPTABLES -F POP_CHECK 
        $IPTABLES -D POP_CHECK 
        $IPTABLES -N POP_CHECK 

        cat cpop-fail | while read line ;
        do
                COUNT=`echo $line | awk '{print $1}' `
                if (( "$COUNT" > 20 ))
                then
                    IP=`echo $line | awk '{print $2}' `
                    $IPTABLES -I POP_CHECK 1 -p TCP -s $IP -d $INTERNET --dport 110 -j DROP
                    $IPTABLES -A POP_CHECK -p TCP -s $INTERNET -d $INTERNET --dport 110 -j ACCEPT
                fi
        done
        $IPTABLES -A INPUT -p tcp --dport 110 -m state --state NEW -j POP_CHECK
else
        echo "OK! No Action Needed"
fi
Currently the IP is no longer trying to brute force attempt to my email servers anymore.
Everything back to normal. I think it may not help if the culprit try again to jam up my bandwidth.
I can block all I want, but ultimately it will slow down(or timeout) my user access to the mail servers.

My various extracts of log that show the same IP.
Code:
Nov  2 09:59:04 mail02 popa3d[31105]: Authentication failed for UNKNOWN USER
Nov  2 10:19:52 mail02 popa3d[5320]: Authentication failed for UNKNOWN USER
Nov  2 10:21:22 mail02 popa3d[5886]: Authentication failed for UNKNOWN USER
Nov  2 10:21:22 mail02 popa3d[5885]: Authentication failed for UNKNOWN USER
Nov  2 10:21:23 mail02 popa3d[5954]: Authentication failed for UNKNOWN USER
Nov  2 10:21:23 mail02 popa3d[5958]: Authentication failed for UNKNOWN USER
Nov  2 10:21:24 mail02 popa3d[5964]: Authentication failed for UNKNOWN USER
Nov  2 10:21:25 mail02 popa3d[5967]: Authentication failed for UNKNOWN USER
Nov  2 10:21:25 mail02 popa3d[5970]: Authentication failed for UNKNOWN USER
Nov  2 10:21:26 mail02 popa3d[5973]: Authentication failed for UNKNOWN USER
Nov  2 10:21:27 mail02 popa3d[5976]: Authentication failed for UNKNOWN USER
Nov  2 10:21:28 mail02 popa3d[5979]: Authentication failed for UNKNOWN USER
Nov  2 10:21:30 mail02 popa3d[5982]: Authentication failed for UNKNOWN USER
Nov  2 10:21:31 mail02 popa3d[5985]: Authentication failed for UNKNOWN USER
Nov  2 10:21:32 mail02 popa3d[5988]: Authentication failed for UNKNOWN USER
Nov  2 10:21:34 mail02 popa3d[5993]: Authentication failed for UNKNOWN USER

Nov  2 10:21:45 mail02 popa3d[6029]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:46 mail02 popa3d[6032]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:47 mail02 popa3d[6037]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:48 mail02 popa3d[6040]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:49 mail02 popa3d[6043]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:50 mail02 popa3d[6047]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:51 mail02 popa3d[6050]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:52 mail02 popa3d[6053]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:53 mail02 popa3d[6056]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:54 mail02 popa3d[6059]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:55 mail02 popa3d[6062]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:56 mail02 popa3d[6065]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:57 mail02 popa3d[6068]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:21:59 mail02 popa3d[6071]: connect from 74.63.213.126 (74.63.213.126)
Nov  2 10:22:00 mail02 popa3d[6074]: connect from 74.63.213.126 (74.63.213.126)


Nov  2 13:02:51 mail02 imapd[18981]: Login failed user=administrator auth=administrator host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:02:52 mail02 imapd[18982]: Login failed user=web auth=web host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:02:54 mail02 imapd[18986]: Login failed user=test auth=test host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:02:55 mail02 imapd[18987]: Login failed user=www auth=www host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:02:56 mail02 imapd[18988]: Login failed user=web auth=web host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:02:59 mail02 imapd[18992]: Login failed user=sybase auth=sybase host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:01 mail02 imapd[18998]: Login failed user=oracle auth=oracle host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:02 mail02 imapd[19199]: Login failed user=oracle8 auth=oracle8 host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:02 mail02 imapd[19200]: Login failed user=www auth=www host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:02 mail02 imapd[19201]: Login failed user=informix auth=informix host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:03 mail02 imapd[19202]: Login failed user=web auth=web host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:05 mail02 imapd[19206]: Login failed user=administrator auth=administrator host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:06 mail02 imapd[19210]: Login failed user=informix auth=informix host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:09 mail02 imapd[19221]: Login failed user=web auth=web host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:11 mail02 imapd[19225]: Login failed user=administrator auth=administrator host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:13 mail02 imapd[19229]: Login failed user=web auth=web host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:15 mail02 imapd[19230]: Login failed user=oracle8 auth=oracle8 host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:15 mail02 imapd[19231]: Login failed user=administrator auth=administrator host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:19 mail02 imapd[19241]: Login failed user=www auth=www host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:20 mail02 imapd[19242]: Login failed user=informix auth=informix host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:22 mail02 imapd[19244]: Login failed user=oracle8 auth=oracle8 host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:23 mail02 imapd[19245]: Login failed user=lizdy auth=lizdy host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:25 mail02 imapd[19246]: Login failed user=oracle auth=oracle host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:26 mail02 imapd[19247]: Login failed user=sybase auth=sybase host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:26 mail02 imapd[19248]: Login failed user=oracle8 auth=oracle8 host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:27 mail02 imapd[19249]: Login failed user=lizdy auth=lizdy host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:30 mail02 imapd[19252]: Login failed user=sybase auth=sybase host=126-213-63-74.servebyte.net [74.63.213.126]
Nov  2 13:03:31 mail02 imapd[19255]: Login failed user=lizdy auth=lizdy host=126-213-63-74.servebyte.net [74.63.213.126]
Hi leslie_jones,

Sorry that I did not provide the full picture, I have 2 email servers but I used only 1 as example.
Both email servers are hit by the same IP.

Last edited by Manuel-H; 11-03-2011 at 01:58 AM.
 
Old 11-03-2011, 08:11 AM   #13
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Quote:
Originally Posted by Manuel-H View Post
Hi ReaperX7,

I did a whois on the IP and found the admin. Email to them about it, no response from them but the attempts stopped.
It is good that they stopped. It is possible, though I don't know how likely, that they had some malware on their system that was responsible and your bringing it to their attention caused them to deal with it. It looks like limestone networks is a smaller hosting outfit with about 63 public addresses, at least in that block. Your report may have indeed caused them to take action.

Quote:
Simplified structure data centre internet access -> switch -> both my email servers
It is unlikely that you will be able to put a physical device infront of this hardware and you will probably be limited to iptables and other software solutions, unless the problem is severe enough to warrant support from your hosting provider.

Quote:
As of now, all traffic from the IP will be drop (b4 that I was just blocking 110 traffic).
T3Slider suggested to blocked all, true enough, soon I was seeing attempts from same IP to imap services.

My iptables are by default block all incoming and allow authorized ports only.

Is this something what you meant by limiting number of connections?
Code:
$IPTABLES -A POP_CHECK -m recent --update --seconds 60 --hitcount 10 --name POP -j DROP
$IPTABLES -A POP_CHECK -m recent --update --seconds 600 --hitcount 15 --name POP -j DROP
Yes, this would be rate limiting and rate limiting should certainly help, at least as long as you block the right ports. Your script looks like it is incomplete though. Here is an example for port 22 that I use:
Code:
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP 
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
Notice how it triggers on teh state new, and then blocks on an excessive number of new connections, which is slightly different.

Quote:
Currently I create a script to monitor abnormal unsuccessful attempts and block the IP dynamically.
I am not very good in bash, but the script works for me. (email modifed to prevent abuse)
I run this every 5 mins.
If within 5 mins I got 10 unsuccessful attempts from the same IP, it will get blocked.
..trimmed..
Instead of using your own custom script, check out the application fail2ban. It has been around quite a long time and has a very solid reputation. Not that there is anything wrong with writing a script. In fact, I applaud the fact that you took this approach. The application developers and maintainers have had a lot of time to react to issues and threats which might give that application a bit of advantage that you could take benefit of.

Quote:
Currently the IP is no longer trying to brute force attempt to my email servers anymore.
Everything back to normal. I think it may not help if the culprit try again to jam up my bandwidth.
I can block all I want, but ultimately it will slow down(or timeout) my user access to the mail servers.

My various extracts of log that show the same IP.
The fact that it is the same IP reinforces my suspicion that someone had an infected machine with a script that was responsible rather than a deliberately dedicated attack against you. You should be able to use filtering to eliminate this kind of noise. If you are facing a true attack to where filtering methods and other host based techniques don't work, then you will be needing the assistance of the data center. Having implemented these techniques will put you in a good position to demonstrate why their assistance would be justified too.
 
2 members found this post helpful.
Old 11-03-2011, 09:53 PM   #14
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 138

Original Poster
Rep: Reputation: 15
Thanks Noway2,

I will look into the fail2ban app.

Seems like there is nothing much more I can do beside what I had already done.
Blocking from the source(originator IP) is still the best solution.

I will mark this thread as SOLVED.

Thanks everyone who have contributed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DDOS attack help me dheeraj4uuu Linux - Security 9 05-31-2009 03:07 PM
What is the best way to stop this DDoS attack? abefroman Linux - Security 9 04-22-2009 11:25 AM
DDOS Attack studiofos Linux - Security 3 09-12-2006 03:42 AM
DDOS attack in BIND9 inaki Linux - Security 1 08-07-2006 01:46 AM
ddos attack ashis Linux - Security 1 06-14-2001 02:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration