The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How I can block attack on 25 smtp port?

Discussion in 'E-mail Discussions' started by helio, Feb 3, 2006.

  1. helio

    helio Member

    Joined:
    May 2, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sampa
    How I can block this kind of attack?
    I have APF on server......
    thanks all!

    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50446 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50447 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50445 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50450 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50448 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50449 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50454 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50455 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50452 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50453 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50458 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50457 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:80
    200.171.49.217:25140 FIN_
    WAIT2 -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50466 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50467 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50464 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50465 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50471 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50468 TIME
    _WAIT -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50469 TIME
    _WAIT -
    tcp 0 46 70.84.XXX.XXX:25
    200.180.59.231:50474 FIN_
    WAIT1 -
    tcp 0 0 70.84.XXX.XXX:25
    200.180.59.231:50472
     
  2. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    a few suggestions...

    1. 70.84 is an IP Range owned by ThePlanet. Open a ticket in Orbit and ask them to block the offender @ their edge. The IP you want to have blocked is: 200.180.59.231

    2. In IPTables ignore 200.180.59.231

    3. You could try contacting the provider for 200.180.59.231 (good luck there) and request their assistance

    4. If you think this is an attack from there - you may wish to have ThePlanet block the following: 200.180/16 this should not harm you - unless you expect traffic from Brazil.

    inetnum: 200.180/16
    aut-num: AS8167
    abuse-c: BTA17
    owner: Brasil Telecom S/A - Filial Distrito Federal
    ownerid: 076.535.764/0326-90
    responsible: Brasil Telecom S. A. - CNRS
    address: SEPS 702/092 Cj. B - Bl B 3 andar Gen. Alencastro, S/N,
    address: 70390-025 - Brasilia - DF
    phone: (61) 415-4201 []
    owner-c: BTC14
    tech-c: BTC14
    inetrev: 200.180.0/24
    inetrev: 200.180.71/24
    inetrev: 200.180.72/24
    inetrev: 200.180.73/24
    inetrev: 200.180.74/24
    inetrev: 200.180.75/24
    inetrev: 200.180.76/24
    inetrev: 200.180.77/24
    inetrev: 200.180.79/24
    inetrev: 200.180.80/24
    inetrev: 200.180.81/24
    inetrev: 200.180.82/24
    inetrev: 200.180.84/24
    inetrev: 200.180.87/24
    inetrev: 200.180.89/24
    inetrev: 200.180.90/24
    inetrev: 200.180.91/2



    One last suggestion - are you running Brute force detection? if not its an easy install PM me if needed.
     
  3. hpsmaster2

    hpsmaster2 Member

    Joined:
    Mar 1, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I have a APF with BRUTEFORCE.. but doenst detect sometimes.. and I need to block manualy IP.. Have a tool or configuration to block automatic?

    Thanks for your help
     
  4. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    if you have shell - do this

    in shell type
    Code:
    /etc/apf/apf -d 200.180.59.231 

    The response should be

    Code:
    Inserted into firewall: Deny all to/from 200.180.59.231
    

    FYI:


    usage /etc/apf/apf [OPTION]
    -s|--start ......................... load all firewall policies
    -r|--restart ....................... stop (flush) & reload firewall rules
    -f|--stop........ .................. stop (flush) all firewall rules
    -l|--list .......................... list chain rules
    -t|--status ........................ firewall status
    -a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
    immediately load new rule into firewall
    -d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
    immediately load new rule into firewall
    -u|--unban HOST .................... remove host from [glob_]deny_hosts.rules
    and immediately remove rule from firewall
    -o|--ovars ......................... output all conifguration options
     
Loading...

Share This Page