tadi iseng2 liat monitor server mdaemon, ternyata ada yg sedang asik nge-probe.
setelah saya lihat di log ternyata intruder ini sudah ber kali2 melakukan aksinya.
usaha pertama (tadi malam sekitar jam 7) gagal (atau sengaja dia gagalkan).
ini log nya:
Wed 2004-05-05 19:08:30: [528:5968:1] Accepting SMTP connection from [222.183.140.233 : 4631]
Wed 2004-05-05 19:08:30: [528:5968:1] --> 220 biofarma.co.id ESMTP MDaemon 6.8.5; Wed, 05 May 2004 19:08:30 +0700
Wed 2004-05-05 19:08:31: [528:5968:1] <-- EHLO microsof-9dlveu
Wed 2004-05-05 19:08:31: [528:5968:1] --> 250-biofarma.co.id Hello microsof-9dlveu, pleased to meet you
Wed 2004-05-05 19:08:31: [528:5968:1] --> 250-ETRN
Wed 2004-05-05 19:08:31: [528:5968:1] --> 250-AUTH=LOGIN
Wed 2004-05-05 19:08:31: [528:5968:1] --> 250-AUTH LOGIN CRAM-MD5
Wed 2004-05-05 19:08:31: [528:5968:1] --> 250-8BITMIME
Wed 2004-05-05 19:08:31: [528:5968:1] --> 250 SIZE 0
Wed 2004-05-05 19:08:33: [528:5968:1] <-- AUTH LOGIN
Wed 2004-05-05 19:08:33: [528:5968:1] --> 334 VXNlcm5hbWU6
Wed 2004-05-05 19:08:34: [528:5968:1] <-- YmFja3Vw
Wed 2004-05-05 19:08:34: [528:5968:1] --> 334 UGFzc3dvcmQ6
Wed 2004-05-05 19:08:35: [528:5968:1] <--
Wed 2004-05-05 19:08:35: [528:5968:1] --> 535 Authentication failed
Wed 2004-05-05 19:08:36: [528:5968:1] Socket connection closed by the other side (how rude!)
Wed 2004-05-05 19:08:36: [528:5968:1] SMTP session abnormally terminated, 46 bytes transferred.
Wed 2004-05-05 19:08:36: ----------
Thu 2004-05-06 01:23:22: ---------- Partial transcript, remainder will follow.
tapi dia tidak mau menyerah, pagi ini mulai jam 1 sampai tadi jam 9 dia masih coba probe.
usaha kedua sebetulnya "gagal" juga (auth failed) tapi koq smtp session nya ngga putus2 ya?
Thu 2004-05-06 01:20:35: [532:6554:1] Accepting SMTP connection from [222.183.140.233 : 3186]
Thu 2004-05-06 01:20:35: [532:6554:1] --> 220 biofarma.co.id ESMTP MDaemon 6.8.5; Thu, 06 May 2004 01:20:35 +0700
Thu 2004-05-06 01:20:36: [532:6554:1] <-- EHLO microsof-9dlveu
Thu 2004-05-06 01:20:36: [532:6554:1] --> 250-biofarma.co.id Hello microsof-9dlveu, pleased to meet you
Thu 2004-05-06 01:20:36: [532:6554:1] --> 250-ETRN
Thu 2004-05-06 01:20:36: [532:6554:1] --> 250-AUTH=LOGIN
Thu 2004-05-06 01:20:36: [532:6554:1] --> 250-AUTH LOGIN CRAM-MD5
Thu 2004-05-06 01:20:36: [532:6554:1] --> 250-8BITMIME
Thu 2004-05-06 01:20:36: [532:6554:1] --> 250 SIZE 0
Thu 2004-05-06 01:20:39: [532:6554:1] <-- AUTH LOGIN
Thu 2004-05-06 01:20:39: [532:6554:1] --> 334 VXNlcm5hbWU6
Thu 2004-05-06 01:20:40: [532:6554:1] <-- d2VibWFzdGVy
Thu 2004-05-06 01:20:40: [532:6554:1] --> 334 UGFzc3dvcmQ6
Thu 2004-05-06 01:20:41: [532:6554:1] <-- d2VibWFzdGVy
Thu 2004-05-06 01:20:41: [532:6554:1] --> 535 Authentication failed
Thu 2004-05-06 01:20:43: [532:6554:1] <-- AUTH LOGIN
Thu 2004-05-06 01:20:43: [532:6554:1] --> 334 VXNlcm5hbWU6
Thu 2004-05-06 01:20:44: [532:6554:1] <-- d2VibWFzdGVy
Thu 2004-05-06 01:20:44: [532:6554:1] --> 334 UGFzc3dvcmQ6
Thu 2004-05-06 01:20:45: [532:6554:1] <-- d2VibWFzdGVyMTI=
Thu 2004-05-06 01:20:45: [532:6554:1] --> 535 Authentication failed
Thu 2004-05-06 01:20:47: [532:6554:1] <-- AUTH LOGIN
Thu 2004-05-06 01:20:47: [532:6554:1] --> 334 VXNlcm5hbWU6
Thu 2004-05-06 01:20:48: [532:6554:1] <-- d2VibWFzdGVy
Thu 2004-05-06 01:20:48: [532:6554:1] --> 334 UGFzc3dvcmQ
(saya potong disini soalnya kepanjangan, sessionnya saya disconnect secara manual).
pertanyaannya bagaimana cara memblokir intruder semacam ini?
karena biarpun authentication selalu failed tapi dengan tidak putusnya session lumayan
makan bandwidth juga.
barusan saya checkmark "perform reverse PTR...." di menu security->reverse lookup (sebelumnya uncheck).
apakah tindakan saya ini bisa mencegah intruder semacam ini?
terimakasih.
p.s.: liat kejadian ini jadi ingat debat soal "telnet ke mta" waktu jaman dulu itu :).
-- --[MDaemon-L]------------------------------------------------ Milis ini untuk Diskusi antar pengguna MDaemon Mail Server. Mohon tidak posting dalam format HTML!
Arsip : <http://mdaemon-l.dutaint.com>
Moderator : <mailto:[EMAIL PROTECTED]>
Henti Langgan : <mailto:[EMAIL PROTECTED]>
Berlangganan : <mailto:[EMAIL PROTECTED]>
Versi Terakhir : MD 7.0.1, LD 2.1.0, WA 2.0.8, MDAV 2.2.4, MDGW 1.0.5
