smtp block brute force attacks

Discussion in 'General' started by tal56, Jun 21, 2008.

  1. tal56

    tal56 New Member

    Hi guys,

    I'm getting a lot of smtp brute force attacks lately and on my /var/log/secure logs they don't even list the IP of the person trying the attacks. They look like this :

    What's the best way to block these attacks? Thanks
     
  2. till

    till Super Moderator

    If you know the IP of the attacker, you might use this command:

    /sbin/route add -host 123.123.123.123 reject
     
  3. falko

    falko Super Moderator

  4. tal56

    tal56 New Member

    Is there a fail2ban tutorial for Centos 5?
     
  5. tal56

    tal56 New Member

    Till, how do I find out the IP? Normally I also see the IP on the log file, but for these there's nothing. Thanks
     
  6. falko

    falko Super Moderator

    Unfortunately no...
     
  7. sonoracomm

    sonoracomm New Member

    Last edited: Aug 28, 2008
  8. tal56

    tal56 New Member

    Thanks for that, I would have helped a couple weeks ealier as I finally took the plunge and installed fail2ban. It's been working great since as far as I can tell. Only banned 2 people, but haven't had much brute force attacks since I've installed. As far as I can tell it's stopped the only 2 I've got. This may be also because I've done some other stuff to secure the server too, like change ports for SSH.
     
  9. Norman

    Norman HowtoForge Supporter

    I'd suggest installing ossec and allow it to handle hosts.deny file and firewall which means stuff like this will be automaticlly stopped.
     
  10. sonoracomm

    sonoracomm New Member

    I have fail2ban on 3 servers. They all have SSH, two have web servers and one has mail and ftp as well.

    I have 250 or more bans every day between the 3 servers!

    G
     
  11. TheEther

    TheEther New Member

    Blocking SMTP authentication brute force attacks using Fail2Ban
    http://theether.net/kb/100141

    Cheers,

    Jamie.
     
  12. hairydog2

    hairydog2 New Member

    I tried to do this, but got

    SIOCADDRT: No such device

    Any suggestions?
     
  13. falko

    falko Super Moderator

    There seems to be something wrong with one of your network interfaces. Did you try to reboot the server?
     
  14. hairydog2

    hairydog2 New Member

    Oddly enough, when I tried again later, it worked!
     

Share This Page