Jump to content
When you buy through links on our site, we may earn an affiliate commission.

  • Current Donation Goals

Hacking?

freddy333

By freddy333
in General Discussion

 Share

Recommended Posts

freddy333 Proficient

freddy333

Posted
Posted

For the past several days, I have been seeing a significant rise in activity on our FreeBSD mail server. So, today, I began running netstat -an | more to see who is doing what. I found 2 IPs (64.12.88.131 & 64.12.88.163 - both AOL IPs... though I suspect it is the same person) logging in every few minutes. When I see them on, I disconnect them with tcpdrop. I have also added 64.12.88 to the .htaccess in the root... but they continue to reappear.

 

Just a few minutes ago, I noticed that when I tcpdrop'd them, the following message would appear (I'm logged in as root at the console & the root account is disabled on the network side) & it looks like this person was attempting to either send or generate email through our server (even though I am the only user logged on).

 

Can anyone recommend a more permanent way to block these IPs or how to prohibit them from generating AOL email through our server?

64.12.88.163.jpg

Link to comment
Share on other sites
freddy333 Proficient

freddy333

Posted
  • Author
Posted

This has nothing to do with RWG... This is a mail server unrelated to RWG.

If you know what a DOS attack is, then you can see that this is not that. Based on the screenshot, I think they are using our server to send email to or through AOL. But, more than that, I do not know. Finding out what that error in the screenshot means is why I posted here. Anyone with Unix admin experience see this error before & know how to permanently block these 2 IPs (the .htaccess in / is not affecting them).

Link to comment
Share on other sites
freddy333 Proficient

freddy333

Posted
  • Author
Posted

I do not know if this will be relevant for your experience, but the server's firewall is /etc/ipf.rules.

The guy who setup the server configured the ipf.rules to block all logins except my local IP. So whenever I change my IP (roughly monthy), I have to edit ipf.rules to reflect this, so I can login for maintenance. Up until a few days ago, for the 20 years the server has been online, I have never seen anyone able to do what these guys are doing.

 

Anyway, is there anything similar to your iptables command that will work for ipf.rules?

5 minutes ago, docthor said:

Just was searching for it...
Maybe this helps...
http://www.webhostingtalk.com/showthread.php?t=530618
 

I think you are on to something.... I did find a pf.conf, but the commands listed on that web page are a bit too advanced for me since it has been so long since I dabbled.

Question -

In post 14 on that page, I am confused when the author says ' Paste this into a new copy of your '/etc/pf.conf''.

Do you think he means to replace the original pf.conf or just copy/paste his code into the existing pf.conf?

Link to comment
Share on other sites
freddy333 Proficient

freddy333

Posted
  • Author
Posted

I followed the instructions in post 14 from that 'how to block ip in freebsd' (creating a new pf.conf) & got it running, but it has no affect on these IPs. They continue processing some type of mail program.

Any other suggestions? Or, do you know any BSD admins who would be willing to take a look? At this point, whatever it is that these miscreants are running on our server, it is slowing the server to a crawl.

Link to comment
Share on other sites
docthor Newbie

docthor

Posted
Posted

Well...knowing nothing about ipf I'd start with the basics...

Is ipf runing?

"service ipfilter status"

If it's not running

"service ipfilter start"

Check the ruleset

"ipfstat -ion"

There's a good explanation of ipf and how it works on FreeBSD.org

https://www.freebsd.org/doc/handbook/firewalls-ipf.html

Hope that helps :)



Gesendet von meinem SM-A310F mit Tapatalk

Link to comment
Share on other sites
freddy333 Proficient

freddy333

Posted
  • Author
Posted

Unfortunately, service does not appear to be installed on our server either.

I may be grabbing at straws, but I wonder if the bolded line from post 14 in your original web link refers to a port number?

 

# External
ext_if = "em1"
set loginterface $ext_if
set block-policy drop

 

The reason I ask is because pf.conf seems to be running, but it has no affect on these IPs. & I am not sure what "em1" is? If it is a port, how do I know it is the correct port for our server?

Link to comment
Share on other sites
docthor Newbie

docthor

Posted
Posted

"em1" is an interface and ext_if is the alias within the script for the relevant interface.

Gesendet von meinem SM-A310F mit Tapatalk

With ipconfig you are able to find out which interface is up.

Gesendet von meinem SM-A310F mit Tapatalk

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...
Please Sign In or Sign Up