EMERGENCY - need to secure my server against an ongoing SPAMMER
Roger Grosswiler
roger at gwch.net
Mon Mar 14 09:08:00 UTC 2005
> On Mon, 14 Mar 2005 08:03:25 +0100, Roger Grosswiler <roger at gwch.net> wrote:
>> Roger Grosswiler schrieb:
>> > Bob Brennan schrieb:
>> > [snip]
>> >
>> >>> Probably a good idea to shut them off semi-permanently:
>> >>> add these lines to your iptables firewall:
>> >>> (Note - there are more general ways to script iptables setups)
>> >>> (Read "better ways", but this is a specific example)
>> >>>
>> >>> # Next 8 lines specific to tfn.net.tw
>> >>> # Log any connection attempts by tfn,net.tw
>> >>> iptables -A INPUT -i eth0 -s 219.81.0.0/16 -j LOG --log-prefix
>> >>> "static.tfn.net.tw"
>> >>> iptables -A INPUT -i eth0 -s 61.31.0.0/16 -j DROP -j LOG
>> >>> --log-prefix "dynamic.tfn.net.tw "
>> >>>
>> >>> # Drop dynamic.tfn.net.tw
>> >>> iptables -A INPUT -i eth0 -s 61.31.0.0/16 -j DROP
>> >>> # Drop static.tfn.net.tw
>> >>> iptables -A INPUT -i eth0 -s 219.81.0.0/16 -j DROP
>> >
>> > [/snip]
>> >
>> > Hi Bob,
>> >
>> > Good way to get the spammer of your ports ;-)
>> >
>> > See here 2 links, where you chan check your mailserver immediately for
>> > your "open relay". There is no need to register or whatever - just type
>> > your ip and go. You will see if your mailserver is secure enough or
>> > which methods still could be used, to send spam via your mailserver.
>> >
>> > http://www.relaycheck.com/test.asp
>> > http://www.antispam-ufrj.pads.ufrj.br/
>> >
>> > Have you built-in RBL-Support for your mailserver? This perhaps could
>> > get your spammer even off your mailserver. See 3 free lists below.
>> >
>> > bl.spamcop.net,
>> > relays.ordb.org,
>> > sbl.spamhaus.org,
>> >
>> > btw. preferably you use by today no longer pop-before-smtp, either use
>> > smtp-auth. If you authenticate your users in pop/imap against mysql you
>> > COULD use the same database for smtp either.
>> >
>> > HTH
>> > Roger
>> >
>> btw. doing perror 13 in shell gives the following:
>>
>> [roger at link ~]$ perror 13
>> Error code 13: Permission denied
>>
>> ...i had this too, this was an issue from selinux. You could either
>> disable mysql-support in selinux (system-config-securitylevel) or try to
>> relabel your system. This helped me, in some way (...)
>>
>> /sbin/fixfiles relabel
>>
>> make also sure, that your /var/lib/mysql is chowned -R mysql:mysql
>
> Hi Roger,
>
> Thanks very much for all of the handy tips - I remember seeing the
> "/sbin/fixfiles relabel" trick in previous postings on this list and I
> will try that right away - I am anxious to re-enable SELinux asap.
>
> I still got more than 500 attempts by the spammer(s) yesterday but
> hopefully the iptables fix from Jeff Kinz will finally put an end to
> that today. I think their persistant, but futile attempts to send
> proves that it is simply Windoze zombie machines out there wasting our
> time and bandwidth.
>
> Thanks again for the help,
> bob
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
as soon as you don't need e-mails out of those ranges, it's quite helpful, i even blocked some ranges in the
beginning. when i set up rbl-checking, i had to have patience for about 1 month, since then, i just have 2-3 attempts
per day. RBL sorts in good quality good from bad traffic. Unfortunately, it doesn't block those zombies - perhaps
infected by a worm.
But, at least for those IP's you can save yourself also dns-traffic ;-)
Roger
More information about the fedora-list
mailing list