Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Blocking mail access by IP address block.

  • 19-10-2012 09:13AM
    #1
    oeb
    Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭


    Hey guys, I want some advice on something that I am looking at doing.

    A couple of days ago, an email account on one of our VPS got compromised, the cheeky spammer proceded to jam nearly half a million spam messages into the queue, we found the culprit email address easilly enough, changed the password, and went about clearing the queue with qmail-remove (For the record, deleting 450,000 odd emails took the bones of 28 hours).

    Checking todays maillog I see that they seem to be attempting to brute force the account, there is 2200 odd smtp_auth: FAILED entries, all from chinese email addresses.

    In addition to this, I notice from looking at logs, that about 90% of failed login attempts over SSH are from Chinese IP addresses too.

    We have no customers on that server who reguarly travel to china, so I figure that I might as well just block all login attempts from anywhere in china. Is there an easy way of doing this? Is it just a matter of putting a new firewall rule in place blocking all chinese traffic over port 25 and 22?

    Thanks in advance.


Comments

  • #2
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    oeb wrote: »
    Hey guys, I want some advice on something that I am looking at doing.

    A couple of days ago, an email account on one of our VPS got compromised, the cheeky spammer proceded to jam nearly half a million spam messages into the queue, we found the culprit email address easilly enough, changed the password, and went about clearing the queue with qmail-remove (For the record, deleting 450,000 odd emails took the bones of 28 hours).

    Checking todays maillog I see that they seem to be attempting to brute force the account, there is 2200 odd smtp_auth: FAILED entries, all from chinese email addresses.

    In addition to this, I notice from looking at logs, that about 90% of failed login attempts over SSH are from Chinese IP addresses too.

    We have no customers on that server who reguarly travel to china, so I figure that I might as well just block all login attempts from anywhere in china. Is there an easy way of doing this? Is it just a matter of putting a new firewall rule in place blocking all chinese traffic over port 25 and 22?

    Thanks in advance.

    Here is a good head start for your research:

    https://www.google.com/search?q=iptables+block+china&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a


  • #3
    [Deleted User]
    Posts: 1,211 ✭✭✭ [Deleted User]


    Why not change the ssh port number to higher number (Ephemeral port). They will knock away at 22 though will get no-where.

    Regarding your email server, I would suspect 'Fail2Ban' would be what you need.


Advertisement