Menu
▾
▴
Re: [Fail2ban-users] Persistent State Banning
|
From: Yaroslav H. <li...@on...> - 2007-09-08 14:24:40
|
> Yaroslav, I don't believe so, for my case. I'm mainly interested in spam > and ssh attacks. Consider this line from my postfix log: ssh is fine since it goes through negotiation and exchange of information before it tries to authenticate but in your case I would not be so sure...=20 =66rom http://chris-linfoot.net/d6plinks/CWLT-6NRKUX one of the examples with spoofed IP in SMTP... Excerpt: one of the examples with spoofed IP in SMTP... Excerpt: ,---- | # SMTP uses TCP. TCP packets can be large (large enough for an | entire spam to be contained in one packet). TCP source addresses may | also easily be spoofed. Of course, if you do spoof the source address | then your SMTP client spamware will never see any responses back from | the server (like 220, 250, 354, 221 and so on) but if your aim is just | to get an unwanted message onto someone else's delivery queue, you don't | want to be troubled by minor details like that. | | # So, JS crafts a single TCP packet bearing a spoofed source | address (127.0.0.1) and containing the entire SMTP transaction from HELO | to . complete with <CR><LF> where needed, then fires it at the | non-standard SMTP port of the target system. He repeats this a large | number of times. `--- > Sep 7 11:02:34 satan postfix/smtpd[3872]: > NOQUEUE: reject: EHLO from unknown[59.96.37.34]: 554 5.7.1 <dirac.org>: > Helo command rejected: You are not in dirac.org (1). > Go away, spammer.; proto=3DSMTP helo=3D<dirac.org> --=20 .-. =3D------------------------------ /v\ ----------------------------=3D Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |