Hi, i am under attack from one IP. At this moment i close port 25 on SuSEfirewall2 to stop the attack for the momment.
All start when i found
Code:
2015-06-25T13:45:22.096356-03:00 sxxxb postfix/smtpd[13201]: warning: hostname host70.acr.org does not resolve to address 65.210.36.70: Name or service not known
2015-06-25T13:45:22.097545-03:00 sxxxb postfix/smtpd[13201]: connect from unknown[65.210.36.70]
2015-06-25T13:45:23.356258-03:00 sxxxb postfix/smtpd[13201]: disconnect from unknown[65.210.36.70]
This secuence appear repetidely continuosly.
I write a simple iptables rule to ban him:
Code:
iptables -A INPUT -s 65.210.36.70 -j DROP
But the connections still here, i dont know why.
After this the problem grow, because the attacker was trying to hack TLS library:
Code:
2015-06-26T13:25:42.240594-03:00 sxxxb postfix/smtpd[15848]: initializing the server-side TLS engine
2015-06-26T13:25:42.316748-03:00 sxxxb postfix/smtpd[15848]: warning: hostname host70.acr.org does not resolve to address 65.210.36.70: Name or service not known
2015-06-26T13:25:42.321892-03:00 sxxxb postfix/smtpd[15848]: connect from unknown[65.210.36.70]
2015-06-26T13:25:42.750335-03:00 sxxxb postfix/smtpd[15848]: disconnect from unknown[65.210.36.70]
i found in the log:
Code:
2015-06-26T19:14:48.510836-03:00 sxxxb postfix/smtpd[2261]: warning: TLS library problem: 2261:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
So i suspect that the attacker try to scalling privileges. Under this circunstances i shutdown my server for the weekend. ( The most secure mode of a computer ).
I found this IP as hacking IP: "http://www.abuseipdb.com/report-history/65.210.36.70" as "Continuous hacks on port 25 for usernames Dictionary attack, etc."
So for any reason postfix there is not logging the sasl autentication failures.
I perform some checks to sniff what is doing this bad IP.
Code:
tcpdump -i enp0s11 tcp port 25 -l -n -w a.txt
???^B^@^D^@^@^@^@^@^@^@^@^@??^@^@^A^@^@^@!U?
^@J^@^@^@J^@^@^@^@^HT:K?^@^A\z(F^H^@E^@^@<??@^@1^Fi=.iIL^X??^@^Yo?^\^@^@^@^@?^Br^P?^@^@^B^D^E?^D^B^H
1I?^@^@^@^@^A^C^C^G)U^_?
^@J^@^@^@J^@^@^@^@^HT:K?^@^A\z(F^H^@E^@^@<??@^@1^Fi<.iIL^X??^@^Yo?^\^@^@^@^@?^Br^P?H^@^@^B^D^E?^D^B^H
1I?^@^@^@^@^A^C^C^G9U!?
^@J^@^@^@J^@^@^@^@^HT:K?^@^A\z(F^H^@E^@^@<??@^@1^Fi;.iIL^X??^@^Yo?^\^@^@^@^@?^Br^P??^@^@^B^D^E?^D^B^H
1I?^@^@^@^@^A^C^C^GYU??^@J^@^@^@J^@^@^@^@^HT:K?^@^A\z(F^H^@E^@^@<??@^@1^Fi:.iIL^X??^@^Yo?^\^@^@^@^@?^Br^P?P^@^@^B^D^E?^D^B^H
1J^S0^@^@^@^@^A^C^C^G?U¢^H^@>^@^@^@>^@^@^@^@^HT:K?^@^A\z(F^H^@E^@^@0#?^@s^F??A?F^X?1?^Y???^@^@^@p^B???^@^@^B^D^E?^A^A^D^B?Uڣ^H^@>^@^@^@>^@^@^@^@^A\z(F^@^$
?U?+^D^@A^@^@^@A^@^@^@^@^HT:K?^@^A\z(F^H^@E^@^@3)?@^@s^F???F^X?1?^Y???7^Y P^X??6^@^@EHLO User
?Ul,^D^@6^@^@^@6^@^@^@^@^A\z(F^@^HT:K?^H^@E^@^@(I?@^@@^F?^X?A?F^@^Y1?7^Y ???P^P)^@^@?U?^D^@?^@^@^@?^@^@^@^@^A\z(F^@^HT:K?^H^@E^@^@?I?@^@@^F?^X?A?F^@^Y1?$
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
?U?U^G^@<^@^@^@<^@^@^@^@^HT:K?^@^A\z(F^H^@E^@^@.+^]@^@s^F?cA?F^X?1?^Y???$7^Y?P^X?Y-?^@QUIT
?U?X^G^@E^@^@^@E^@^@^@^@^A\z(F^@^HT:K?^H^@E^@^@7I?@^@@^F?^X?A?F^@^Y1?7^Y???^DP^X)??^@^@221 2.0.0 Bye
So i suspect that the attacker is trying to login but the postfix dont log this.
The questions,
1)is how i can block this men?
2)How i can enable log of authentication under postfix?
Best Regards
Christian
