Brute forced on smtp server?

T

TopGun

Gawd
Joined
Jan 22, 2005
Messages
766
I had very slow internet for a while today and then my router finally crashed,
I had my webserver and my mail server running, luckily my mail server requires
authentication for smtp because I cheked it's log and there were a shitload of
bruteforce attempts from 67.152.208.130, Which would have explained the 3000
connections my router showed connected to my server. I found out that this is a
sbs 2k3 box that I'm pretty sure has been "compromised", Talked to Road Runner
and asked them if they could let the server owner know that their server may have been
compromised. I guess this is why Road Runner doesn't want people running mail servers,
luckily mine was secure :p, Now I just need to setup a router that actually blocks ip's after
a certain amount of concurrent connections.
 
whois 67.152.208.130

Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment: Please report spam and viruses to [email protected].
Comment: For better service, direct customers of XO may use
Comment: the web form at http://www.xo.com/contact/care/
Comment: for reverse DNS requests and other customer-specific
Comment: technical issues. Thank you for your cooperation.
Comment:
RegDate: 2002-08-14
Updated: 2005-12-05

OrgAbuseHandle: XCNV-ARIN
OrgAbuseName: XO Communications, Network Violations
OrgAbusePhone: +1-866-285-6208
OrgAbuseEmail: [email protected]

OrgTechHandle: XCIA-ARIN
OrgTechName: XO Communications, IP Administrator
OrgTechPhone: +1-703-547-2000
OrgTechEmail: [email protected]

----

You can email [email protected]

concerning brute force: I don't know of any router that would fix this problem. I think you'd want to watch the logs for this activity then block that IP w/ your operating systems packet filter, PF for BSD for ex.
 
booyaa said:
concerning brute force: I don't know of any router that would fix this problem. I think you'd want to watch the logs for this activity then block that IP w/ your operating systems packet filter, PF for BSD for ex.
Click to expand...

If you're using PF you could try a rules like this
Code: 
block quick from <bruteforce> to any
pass in proto tcp from any to self port 25 keep state (max-src-conn-rate 5/10, overload <bruteforce> flush global)
You might want to look into expiretable as well to clean out the bruteforce table on a periodic basis.
 
Server "was" windows (going *nix) and router is a wrt54g with dd-wrt on it.
I would block it at the server but my router can't really handle 3000 concurrent connections,
caused it to hit 80% processor usage and it crashed when it went over 3k connections :(

If I can get a cheap cf card and cf <- ide converter + a passive cooler. I may turn a 733mhz celeron
into a firewall box.
 
You must log in or register to reply here.
Back
Top