Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Blocking mail access by IP address block.

  • 19-10-2012 8:13am
    #1
    oeb
    Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭


    Hey guys, I want some advice on something that I am looking at doing.

    A couple of days ago, an email account on one of our VPS got compromised, the cheeky spammer proceded to jam nearly half a million spam messages into the queue, we found the culprit email address easilly enough, changed the password, and went about clearing the queue with qmail-remove (For the record, deleting 450,000 odd emails took the bones of 28 hours).

    Checking todays maillog I see that they seem to be attempting to brute force the account, there is 2200 odd smtp_auth: FAILED entries, all from chinese email addresses.

    In addition to this, I notice from looking at logs, that about 90% of failed login attempts over SSH are from Chinese IP addresses too.

    We have no customers on that server who reguarly travel to china, so I figure that I might as well just block all login attempts from anywhere in china. Is there an easy way of doing this? Is it just a matter of putting a new firewall rule in place blocking all chinese traffic over port 25 and 22?

    Thanks in advance.


Comments

  • #2
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    oeb wrote: »
    Hey guys, I want some advice on something that I am looking at doing.

    A couple of days ago, an email account on one of our VPS got compromised, the cheeky spammer proceded to jam nearly half a million spam messages into the queue, we found the culprit email address easilly enough, changed the password, and went about clearing the queue with qmail-remove (For the record, deleting 450,000 odd emails took the bones of 28 hours).

    Checking todays maillog I see that they seem to be attempting to brute force the account, there is 2200 odd smtp_auth: FAILED entries, all from chinese email addresses.

    In addition to this, I notice from looking at logs, that about 90% of failed login attempts over SSH are from Chinese IP addresses too.

    We have no customers on that server who reguarly travel to china, so I figure that I might as well just block all login attempts from anywhere in china. Is there an easy way of doing this? Is it just a matter of putting a new firewall rule in place blocking all chinese traffic over port 25 and 22?

    Thanks in advance.

    Here is a good head start for your research:

    https://www.google.com/search?q=iptables+block+china&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a


  • #3
    [Deleted User]
    Posts: 0 [Deleted User]


    Why not change the ssh port number to higher number (Ephemeral port). They will knock away at 22 though will get no-where.

    Regarding your email server, I would suspect 'Fail2Ban' would be what you need.


Advertisement