gulden-pt: October 2009

A simple way to detect SMTP attacks from a single source IP can be achieved using the following command:

$ fgrep "tcpserver: pid" "/var/log/qmail/smtp/current" | awk {'print $6'}| sort | uniq -c| sort -rn |less

$ fgrep "tcpserver: pid"   "/var/log/qmail/smtp/current" | awk {'print $6'}| sort | uniq -c| sort  -rn |less

The output will be similar to:

view plain print ?

59 72.15.222.65
42 63.251.135.109
38 66.211.168.231
33 63.251.135.115
29 63.251.135.74
25 213.63.26.144
25 194.65.138.99
23 63.251.135.75
16 194.65.5.228
15 93.102.93.77
15 195.23.124.22
13 212.55.154.23
12 213.91.163.191
12 212.55.154.24
11 212.55.154.21
11 198.31.62.64
10 208.65.131.106
9 98.244.216.176
9 85.243.160.139

     59 72.15.222.65
     42 63.251.135.109
     38 66.211.168.231
     33 63.251.135.115
     29 63.251.135.74
     25 213.63.26.144
     25 194.65.138.99
     23 63.251.135.75
     16 194.65.5.228
     15 93.102.93.77
     15 195.23.124.22
     13 212.55.154.23
     12 213.91.163.191
     12 212.55.154.24
     11 212.55.154.21
     11 198.31.62.64
     10 208.65.131.106
     9 98.244.216.176
     9 85.243.160.139
...

The first column shows the number of tcp connections that have been established and the second column the source IP. If the number of messages from those sources are high and suspicious then you need to block those sources.

gulden-pt

Thursday, October 29, 2009

QMAIL + detect SMTP Attacks from the same IP