Re: [exim] Stopping Bruteforceattacks

Góra strony
Delete this message
Reply to this message
Autor: Dr Andrew C Aitchison
Data:  
Dla: Chris Knadle
CC: exim-users
Temat: Re: [exim] Stopping Bruteforceattacks
On Wed, 25 Jul 2012, Chris Knadle wrote:

> What I don't understand about this particular situation is that the IP address
> of the attacker is in the RFC 1918 private IP address range (192.168.x.x)
> which would make it seem like the attacker is on the local LAN (or via VPN).


>> 2012-07-25 07:09:11 no IP address found for host static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from [216.214.153.238])
>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)


Maybe I'm misreading the logs, but isn't 192.168.0.232
the HELO/EHLO address ?
In which case the rogue machine is on a private network belonging
to a broadviewnet customer and somewhere behind 216.214.153.238 ?

> That seems like in addition to adding fail2ban, you'd want to find the
> offending box and take it offline for antivirus scanning (if possible) because
> the "attacker" is probably malware.
>
> Good luck tracking it down.


-- 
Dr. Andrew C. Aitchison        Computer Officer, DPMMS, Cambridge
A.C.Aitchison@???    http://www.dpmms.cam.ac.uk/~werdna