Jump to content
When you buy through links on our site, we may earn an affiliate commission.

  • Current Donation Goals

Hacking?

freddy333

By freddy333
in General Discussion

 Share

Recommended Posts

freddy333 Proficient

freddy333

Posted
Posted

For the past several days, I have been seeing a significant rise in activity on our FreeBSD mail server. So, today, I began running netstat -an | more to see who is doing what. I found 2 IPs (64.12.88.131 & 64.12.88.163 - both AOL IPs... though I suspect it is the same person) logging in every few minutes. When I see them on, I disconnect them with tcpdrop. I have also added 64.12.88 to the .htaccess in the root... but they continue to reappear.

 

Just a few minutes ago, I noticed that when I tcpdrop'd them, the following message would appear (I'm logged in as root at the console & the root account is disabled on the network side) & it looks like this person was attempting to either send or generate email through our server (even though I am the only user logged on).

 

Can anyone recommend a more permanent way to block these IPs or how to prohibit them from generating AOL email through our server?

64.12.88.163.jpg

freddy333 Proficient

freddy333

Posted
  • Author
Posted

This has nothing to do with RWG... This is a mail server unrelated to RWG.

If you know what a DOS attack is, then you can see that this is not that. Based on the screenshot, I think they are using our server to send email to or through AOL. But, more than that, I do not know. Finding out what that error in the screenshot means is why I posted here. Anyone with Unix admin experience see this error before & know how to permanently block these 2 IPs (the .htaccess in / is not affecting them).

freddy333 Proficient

freddy333

Posted
  • Author
Posted

I am fairly certain it is & I do think it is something more complex than that, but the guy who has been administering our servers retired & it has been many years since I have maintained a Unix box. If you can direct me, I will check SMTP authentication.

docthor Newbie

docthor

Posted
Posted

Try this

  

$ sudo iptables -A INPUT -s 64.12.88.0/24 -j DROP

 

 

...I used to be a Tru64 admin aeons ago so a little knowledge on my side...Stu maybe knows a bit more about networking @nikki6

freddy333 Proficient

freddy333

Posted
  • Author
Posted

docthor - Will this permanently block the IP?

Also, while that IP is nearly constant, there are a handful of others that appear once every few hours, so can I use the same command for them, too.

In the meantime, thank you!

freddy333 Proficient

freddy333

Posted
  • Author
Posted

While that IP is active on the server, I issued the sudo command 3 times to be sure I was not mistyping it, but it returned:

sudo: not found

 

I also tried it as root, but got:

sudo: Command not found

docthor Newbie

docthor

Posted
Posted

Try the command without sudo...just realized that you are working as root anyway. When iptables is used on FreeBSD it has to work :)

Gesendet von meinem SM-A310F mit Tapatalk

docthor Newbie

docthor

Posted
Posted

:(...well...when there's no iptables on your OS you can't use it I'm afraid. Dunno what FreeBSD uses instead, sorry...

Gesendet von meinem SM-A310F mit Tapatalk

freddy333 Proficient

freddy333

Posted
  • Author
Posted

I do not know if this will be relevant for your experience, but the server's firewall is /etc/ipf.rules.

The guy who setup the server configured the ipf.rules to block all logins except my local IP. So whenever I change my IP (roughly monthy), I have to edit ipf.rules to reflect this, so I can login for maintenance. Up until a few days ago, for the 20 years the server has been online, I have never seen anyone able to do what these guys are doing.

 

Anyway, is there anything similar to your iptables command that will work for ipf.rules?

5 minutes ago, docthor said:

Just was searching for it...
Maybe this helps...
http://www.webhostingtalk.com/showthread.php?t=530618
 

I think you are on to something.... I did find a pf.conf, but the commands listed on that web page are a bit too advanced for me since it has been so long since I dabbled.

Question -

In post 14 on that page, I am confused when the author says ' Paste this into a new copy of your '/etc/pf.conf''.

Do you think he means to replace the original pf.conf or just copy/paste his code into the existing pf.conf?

freddy333 Proficient

freddy333

Posted
  • Author
Posted

I followed the instructions in post 14 from that 'how to block ip in freebsd' (creating a new pf.conf) & got it running, but it has no affect on these IPs. They continue processing some type of mail program.

Any other suggestions? Or, do you know any BSD admins who would be willing to take a look? At this point, whatever it is that these miscreants are running on our server, it is slowing the server to a crawl.

freddy333 Proficient

freddy333

Posted
  • Author
Posted

Unfortunately, service does not appear to be installed on our server either.

I may be grabbing at straws, but I wonder if the bolded line from post 14 in your original web link refers to a port number?

 

# External
ext_if = "em1"
set loginterface $ext_if
set block-policy drop

 

The reason I ask is because pf.conf seems to be running, but it has no affect on these IPs. & I am not sure what "em1" is? If it is a port, how do I know it is the correct port for our server?

docthor Newbie

docthor

Posted
Posted

"em1" is an interface and ext_if is the alias within the script for the relevant interface.

Gesendet von meinem SM-A310F mit Tapatalk

With ipconfig you are able to find out which interface is up.

Gesendet von meinem SM-A310F mit Tapatalk

freddy333 Proficient

freddy333

Posted
  • Author
Posted
14 minutes ago, docthor said:

"em1" is an interface and ext_if is the alias within the script for the relevant interface.

With ipconfig you are able to find out which interface is up.
 

Does this tell you if I need to reconfigure that line in pc.conf -

 

ifconfig.jpg

nikki6 Rookie

nikki6

Posted
Posted

It may well be worth blocking an IP set, so any numbers within the IP range they're using are put in as permabanned on that server.

Sent from my SM-G935F using Tapatalk

freddy333 Proficient

freddy333

Posted
  • Author
Posted
1 minute ago, nikki6 said:

It may well be worth blocking an IP set, so any numbers within the IP range they're using are put in as permabanned on that server.

Thanks & that may be useful in the future once I figure out how to block these 2 single IPs.

nikki6 Rookie

nikki6

Posted
Posted

You should be able to block that range, so when they go to the next on the list, that'll be blocked too

Sent from my SM-G935F using Tapatalk

freddy333 Proficient

freddy333

Posted
  • Author
Posted
2 minutes ago, nikki6 said:

You should be able to block that range, so when they go to the next on the list, that'll be blocked too

The $64,000 question remains - How do I block them on a freeBSD server, when /.htaccess & pf.conf failed?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...
Please Sign In or Sign Up