I am seeing more spam in my mail queue. I have iptables installed, and here are my rules:
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223 ACCEPT all -- 192.168.0.0/16 anywhere ACCEPT udp -- anywhere anywhere state NEW udp dpt:sip ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sip-tls ACCEPT udp -- sip02.gafachi.com anywhere state NEW udp dpts:sip:5080 ACCEPT udp -- 204.11.192.0/22 anywhere state NEW udp dpts:sip:5080 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited As far as I can tell, no one should be able to use port 25 from the world. Also, sendmail is only configured to allow relay from localhost: [root@sipx1 ~]# cat /etc/mail/access # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost.localdomain RELAY Connect:localhost RELAY Connect:127.0.0.1 RELAY Can someone please help me figure out where this spam is coming from? Thanks. ~Noah On Oct 13, 2012, at 10:17 AM, Noah Mehl <[email protected]> wrote: > I did not change the configuration of anything related to the PlcmSpIp user. > It does however make me feel better that it is related to the vsftpd service > and the polycom phones. > >> From /etc/passwd: > > PlcmSpIp:x:500:500::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin > > So, that user cannot ssh to a shell. So I don't think it was that. > > ~Noah > > On Oct 12, 2012, at 9:05 AM, Tony Graziano <[email protected]> > wrote: > >> ... more -- its a user that does not have login to the OS itself, just >> vsftpd, which is restricted to certain commands and must present a >> request for its mac address in order to get a configuration file. It >> is not logging into linux unless someone changed the rights of the >> user. >> >> On Fri, Oct 12, 2012 at 7:30 AM, George Niculae <[email protected]> wrote: >>> On Fri, Oct 12, 2012 at 2:26 PM, Tony Graziano >>> <[email protected]> wrote: >>>> this is not a valid system user unless you have manually added it to the >>>> system. I do think the logs would show more if access was granted. Why are >>>> you exposing sshd to the outside world with an acl or by protecting it at >>>> your firewall? >>>> >>> >>> PlcmSpIp is the user used by polycom phones for fetching config from server >>> >>> George >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Tony Graziano, Manager >> Telephone: 434.984.8430 >> sip: [email protected] >> Fax: 434.465.6833 >> ~~~~~~~~~~~~~~~~~~ >> Linked-In Profile: >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >> Ask about our Internet Fax services! >> ~~~~~~~~~~~~~~~~~~ >> >> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab >> 2013! >> >> -- >> LAN/Telephony/Security and Control Systems Helpdesk: >> Telephone: 434.984.8426 >> sip: [email protected] >> >> Helpdesk Customers: http://myhelp.myitdepartment.net >> Blog: http://blog.myitdepartment.net >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > Scanned for viruses and content by the Tranet Spam Sentinel service. > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
