This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Hacking Attempt - NOQUEUE: reject: RCPT

6 posts / 0 new

Topic locked

Last post

#1 Wed, 02/25/2009 - 09:53

mdtiberi

Hacking Attempt - NOQUEUE: reject: RCPT

I am getting quite a lot of these in my maillog where someone is trying to guess a user name. They haven't found a hit yet but I am wondering whether it is a real threat and it's just some annoying hacker. And secondly, is there a way I can set a rule in iptables to deny the ip after a certain number of tries and then discard the rule afer say 20 minutes or so. I am not good at all with iptables so if anyone has any ideas please share the exact syntax.

Thanks

#2 Wed, 02/25/2009 - 10:14

andreychek

I wouldn't worry about those too much, especially if you use even half secure passwords; bots just scan around for open ports, and try a set of common usernames and passwords on them.

Iptables by itself can't perform autoblocks, but there are tools out there to monitor your logfiles and setup blocks for you.

Something like denyhosts can do that for SSH-based attacks, you may be able to configure it to monitor email attacks, or just find a similar tool designed for email.

However, I'm not sure that I'd be overly concerned about it if you have reasonably secure passwords.
-Eric

#3 Wed, 02/25/2009 - 12:09 (Reply to #2)

ronald

I get a lot of those messages in my log but as I read them it is a spammer trying to send a mail to an address not on the server and using the same address to send it.

NOQUEUE: reject: RCPT from unknown[93.86.228.38]: 550 5.1.1 <infoi@domain.nl>: Recipient address rejected: User unknown in virtual alias table; from=<infoi@domain.nl> to=<infoi@domain.nl> proto=ESMTP helo=<[79.101.235.141]>

where domain.nl is a replacement name.
it would be worse if the msg would bounce....instead of reject
none of the IP's are familiar to me

#4 Wed, 02/25/2009 - 22:31 (Reply to #3)

ronald

the problem i have with banning IP's is that bots/scripts/spammers abuse computers/servers and thus the IP's of the innocent. Hence you'd be banning IP's of potential clients.

also lots of people have dynamic IP's so banning them on one which next month could belong to your client is a bad case (theoretically).

I did this 2 years ago and my colleague from another country couldn't see a site on my server any more, so I quit banning IP's myself.

#5 Wed, 02/25/2009 - 14:22

mdtiberi

Eric, Ronald thanks for the feedback.

Pouring through my logs I was rather amazed at these "bots" that do someones dirty work to hack into a mail server. In 69 seconds they made 34 attempts with different user names to login.

I was able to find a partial solution. I use the ASL kernel which installs ossec-hids. It utilizes an active-response which shuns offending ips for a certain amount of time. The default is set to 10 minutes so I upped this by a fair amount to stop subsequent attacks as well as changing the number of failed attempts before shun. I think it should work well. We'll see in the next few days how it goes.

#6 Wed, 02/25/2009 - 14:26

mdtiberi

Forgot to mention. Ossec automatically adds the ip to hosts.deny for the proscribed time.

Topic locked