Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Perhaps china has some command & control (or just a VM) servers in Ukraine, or maybe Russia does, or maybe the US govt does, or even perhaps a 5yr old in Norway.
The actual location of the people-source will be astoundingly difficult to ascertain. Blocking via geoIP (or IANA info) will get you a block, that's it.
Also got mail server hammered with some random usernames from the same IP block. ipinfo.io reports it as not a proxy or hosted, so it should be traceable? Reported to the spaceships abuse and got a reply they forwarded it to their NOC.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,801
Rep:
Quote:
Originally Posted by root:root
Also got mail server hammered with some random usernames from the same IP block.
I get that from time to time. Got hit pretty hard a 3-4 years ago with that stuff (worst case: 100K+ junk emails in one day). Firewall rules (how I deal with relay attempts) and Postfix configuration is your friend. There is plenty of information out there on how to keep the spam from inundating your system(s).
Someone in Kiev has been hammering my freshly installed email server.
Code:
Mar 23 23:46:56 server postfix/smtpd[10867]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:46:57 server postfix/smtpd[10865]: connect from unknown[5.34.207.123]
Mar 23 23:46:57 server postfix/smtpd[10860]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:01 server postfix/smtpd[10867]: connect from unknown[5.34.207.123]
Mar 23 23:47:05 server postfix/smtpd[10859]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:05 server postfix/smtpd[10863]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:05 server postfix/smtpd[10860]: connect from unknown[5.34.207.123]
Mar 23 23:47:06 server postfix/smtpd[10861]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:06 server postfix/smtpd[10863]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:07 server postfix/smtpd[10861]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:10 server postfix/smtpd[10859]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:10 server postfix/smtpd[10856]: connect from unknown[5.34.207.123]
Mar 23 23:47:10 server postfix/smtpd[10865]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:11 server postfix/smtpd[10865]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:12 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:14 server postfix/smtpd[10857]: connect from unknown[5.34.207.123]
Mar 23 23:47:17 server postfix/smtpd[10867]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:19 server postfix/smtpd[10855]: connect from unknown[5.34.207.123]
Mar 23 23:47:20 server postfix/smtpd[10860]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:20 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:20 server postfix/smtpd[10867]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:22 server postfix/smtpd[10860]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:24 server postfix/smtpd[10861]: connect from unknown[5.34.207.123]
Mar 23 23:47:26 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:27 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:29 server postfix/smtpd[10857]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:29 server postfix/smtpd[10863]: connect from unknown[5.34.207.123]
Mar 23 23:47:30 server postfix/smtpd[10857]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:31 server postfix/smtpd[10856]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:32 server postfix/smtpd[10856]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:33 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:33 server postfix/smtpd[10865]: connect from unknown[5.34.207.123]
Mar 23 23:47:37 server postfix/smtpd[10855]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:37 server postfix/smtpd[10860]: connect from unknown[5.34.207.123]
Mar 23 23:47:38 server postfix/smtpd[10861]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:38 server postfix/smtpd[10861]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:39 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:39 server postfix/smtpd[10855]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:42 server postfix/smtpd[10862]: connect from unknown[5.34.207.123]
Mar 23 23:47:47 server postfix/smtpd[10861]: connect from unknown[5.34.207.123]
Mar 23 23:47:48 server postfix/smtpd[10863]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:50 server postfix/smtpd[10863]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:52 server postfix/smtpd[10855]: connect from unknown[5.34.207.123]
Mar 23 23:47:53 server postfix/smtpd[10865]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:53 server postfix/smtpd[10865]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:56 server postfix/smtpd[10863]: connect from unknown[5.34.207.123]
Mar 23 23:47:58 server postfix/smtpd[10862]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
'Whois' says that IP is in Kiev, Ukraine. There is an email for abuse. Should I ever bother to report these things?
I think it's important what hackers had done, wherever they are from.
They are like virus, always try to attack you, if you are weak, you will be down.
So be strong your server like a still castle anytime,especially you install your own server.
If you want to ban them by Fail2ban,these are my codes.
Subnet and location data is generally not complete in WHOIS. The real location of the source IP address may be very different than KIEV, it might even not be in Ukraine!
I have noticed threat activity seeming to be from cities known to be without power after shelling. This would lead me to believe that we cannot trust that source information to any great level of confidence.
I would allow FAIL2BAN to detect threat attempts that are clearly NOT form existing clients, and add them to your block list.
A service such as MaxMind.com is generally a much more reliable way of finding where an IP is and which service provider it belongs to. They allow a small number of free lookups.
I also have the paid service to check on more accurate location / proxy / VPN detection for a couple of forum registration projects.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.