DENYHOST works only for SSHD .....
2011/3/2 Eric Shubert <e...@shubes.net> > Hey Gustavo. > > I don't know about it, so I have no opinion. Please post a link to more > info. Thanks. > > If someone else has some thoughts on this, please chime in. > > -- > -Eric 'shubes' > > > On 03/02/2011 10:49 AM, Gustavo De Poli wrote: > >> Eric: hi, sorry im a new here (principiant), wath do you think about >> DENYHOST, insted of fail2ban???? >> i use DENYHOST as a service and work good. >> >> Gustavo >> >> 2011/3/1 Eric Shubert <e...@shubes.net <mailto:e...@shubes.net>> >> >> >> Yes, but the attacks appear to be coming from a variety of >> addresses. fail2ban will do essentially this automatically and for >> whatever addresses attacks may come from. fail2ban is much better >> solution imo. >> -- >> -Eric 'shubes' >> >> >> On 03/01/2011 06:14 PM, Tony White wrote: >> >> Try this at the command line and as root! >> >> iptables -I INPUT -s 11.22.33.44 -j DROP >> >> This will stop him dead in his tracks. >> You can use this command for any ip address that gives >> you a problem. >> >> >> On 02/03/2011 11:25 AM, Sergio M wrote: >> >> Hi there list, >> i have been under heavy traffic since sunday, and its been >> using all >> my inbound connections. >> I have a QMT updated box, running the latest spamdyke: >> # qtp-whatami >> /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 >> DISTRO=CentOS >> OSVER=5.5 >> QTARCH=x86_64 >> QTKERN=2.6.18-194.32.1.el5 >> BUILD_DIST=cnt5064 >> BUILD_DIR=/usr/src/redhat >> This machine's OS is supported and has been tested/ >> >> >> Even though spamdyke does not let the spammers relay the >> mail, i still >> get all the connections used, making it very hard for >> authenticated >> users to send mail. >> For now I stopped smtpd, but i wanna see if you guys have >> some other >> thoughts to solve this. >> >> If I see the maillog, i see LOTS of entries like these: >> /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: >> 201.0.152.106 rbl: zen.spamhaus.org >> <http://zen.spamhaus.org> Feb 27 14:57:38 mail >> >> vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') >> lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail >> spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: >> zen.spamhaus.org <http://zen.spamhaus.org> Feb 27 14:57:38 >> >> mail spamdyke[31075]: >> FILTER_BLACKLIST_IP ip: 187.106.1.158 file: >> /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail >> vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') >> jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail >> spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: >> zen.spamhaus.org <http://zen.spamhaus.org> Feb 27 14:57:39 >> >> mail vpopmail[31082]: vchkpw-smtp: >> password fail (pass: 'edos1kd9') >> eduardos...@domain.com:201.82.74.70 >> Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: >> 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br >> <http://189106088244.user.veloxzone.com.br> Feb 27 >> >> 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail >> (pass: >> 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 >> 14:57:40 mail >> vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') >> lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail >> spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: >> rev.97.83-telecablecr.com <http://rev.97.83-telecablecr.com> >> >> Feb 27 14:57:42 mail vpopmail[31092]: >> vchkpw-smtp: password fail (pass: 'jdorm253') >> jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail >> vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') >> lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail >> spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: >> zen.spamhaus.org <http://zen.spamhaus.org> >> >> Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password >> fail >> (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb >> 27 14:57:43 >> mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: >> zen.spamhaus.org <http://zen.spamhaus.org> >> >> Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: >> 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) >> Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password >> fail >> (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 >> Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password >> fail >> (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 >> Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password >> fail >> (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ >> >> So i guess some botnet is trying to relay mail guessing a >> specific >> domain user's passwords. Most of the attempts are blocked by >> RBL >> checking, but that still create a connection. >> >> Looking at # cat /var/log/qmail/smtp/current | tai64nlocal >> /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from >> 189.6.164.77 >> 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 >> mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 >> 2011-03-01 >> 20:54:02.157286500 tcpserver: end 4797 status 0 >> 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 >> 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 >> 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from >> 190.172.129.24 >> 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 >> mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 >> 2011-03-01 >> 20:54:05.433208500 tcpserver: end 4857 status 0 >> 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 >> 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 >> 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from >> 189.78.49.139 >> 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 >> mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 >> 2011-03-01 >> 20:54:06.075161500 tcpserver: end 4800 status 0 >> 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25 >> 2011-03-01 20:54:06.075165500 tcpserver: status: 25/25 >> 2011-03-01 20:54:06.075166500 tcpserver: pid 4908 from >> 186.114.65.254 >> 2011-03-01 20:54:06.075168500 tcpserver: ok 4908 >> mail.myhost.com.ar:11.22.33.44:25 :186.114.65.254::13026 >> 2011-03-01 >> 20:54:06.441699500 tcpserver: end 4821 status 0 >> 2011-03-01 20:54:06.441702500 tcpserver: status: 24/25 >> 2011-03-01 20:54:06.441735500 tcpserver: status: 25/25 / >> You see how it got clogged with incoming connections. >> >> so, any ideas or tips to help me solve this? >> As for now smtpd is stopped. >> >> thanks a lot! >> -Sergio >> >> >> >> --------------------------------------------------------------------------------- >> >> Qmailtoaster is sponsored by Vickers Consulting Group >> (www.vickersconsulting.com <http://www.vickersconsulting.com>) >> >> Vickers Consulting Group offers Qmailtoaster support and >> installations. >> If you need professional help with your setup, contact them >> today! >> >> >> --------------------------------------------------------------------------------- >> >> Please visit qmailtoaster.com <http://qmailtoaster.com> for >> >> the latest news, updates, and packages. >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com >> <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com> >> >> For additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> <mailto:qmailtoaster-list-h...@qmailtoaster.com> >> >> >> >> >> >> >> >> >> >> >> >> --------------------------------------------------------------------------------- >> Qmailtoaster is sponsored by Vickers Consulting Group >> (www.vickersconsulting.com <http://www.vickersconsulting.com>) >> >> Vickers Consulting Group offers Qmailtoaster support and >> installations. >> If you need professional help with your setup, contact them today! >> >> >> --------------------------------------------------------------------------------- >> Please visit qmailtoaster.com <http://qmailtoaster.com> for the >> >> latest news, updates, and packages. >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com >> <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com> >> >> For additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> <mailto:qmailtoaster-list-h...@qmailtoaster.com> >> >> >> >> > > > > --------------------------------------------------------------------------------- > Qmailtoaster is sponsored by Vickers Consulting Group ( > www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > > --------------------------------------------------------------------------------- > Please visit qmailtoaster.com for the latest news, updates, and > packages. > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > > >
