Find the answer to your Linux question: Entire Site Articles Downloads Forums Linux Hosting
Hi friends! My mail server is Postfix . And sometimes, someone is trying to use my smtp to send spam emails. I have used iptables and fail2ban to solve this ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
1. ## An annoying IP, IPTABLES can´t block it!

Hi friends!

My mail server is Postfix .
And sometimes, someone is trying to use my smtp to send spam emails.
I have used iptables and fail2ban to solve this cases, and i´m always reading the mail log to see any suspicious connections, using iptables commands manually to ban these annoying spammers.
but the last one is very persistent! Even with several commands in iptables including output and input rules to drop it, the connections attempts was not blocked!

Even with network unreachable status, this annoying ip testingemail\dot\com [208.87.35.103] is trying to connect to my smtp server!
I have used iptables and route commands to block it but no success until now =/

That server (testingdomain\dot\com) was trying to use my php mail functions from php files present on my server to send the emails, i discovered and commented these lines from the mail function and this issue was solved.

I have made an ip lookup to 208.87.35.103 and this is an inconsistent ip.
what this means?

Maybe my server have a script running to do this connection attempts?
This is a backscatterer?

Thanks for your attention!

Regards

2. iptables will block any IP you wish. It's pretty much 100% reliable. Either you didn't enter the rule correctly, or you iptables isn't running.

3. Originally Posted by mizzle
iptables will block any IP you wish. It's pretty much 100% reliable. Either you didn't enter the rule correctly, or you iptables isn't running.
How can i check if its runniing?

4. $spacer_open$spacer_close
5. I have checked and its running... v.1.4.8
Can you give me an efficient command against that ip?
So i will flush the rules and try this new, ok?

Thanks!

6. you can show us your currently running iptables with this cmd:
Code:
iptables -L
You can try blocking an ip address like this:
Code:
iptables -A INPUT -s x.x.x.x -j DROP

7. yep, it´s running and here is the rules, i have typed the commands manually:

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- ps44.suite2.arena.ne.jp anywhere multiport dports smtp
DROP tcp -- 208-87-35-103.securehost.com anywhere multiport dports smtp
DROP tcp -- mail7.vipprodutora9.com.br anywhere tcp dpt:smtp
DROP tcp -- 78.186.171.9.static.ttnet.com.tr anywhere tcp dpt:smtp
DROP tcp -- 78.186.171.9.static.ttnet.com.tr anywhere tcp spt:smtp
DROP tcp -- 208-87-35-103.securehost.com anywhere tcp dpt:smtp
DROP tcp -- bermantech.com anywhere tcp dpt:smtp
DROP tcp -- d155234.artnet.pl anywhere tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- d155234.artnet.pl anywhere tcp dpt:smtp
DROP tcp -- mail7.vipprodutora9.com.br anywhere tcp dpt:smtp
DROP tcp -- 78.186.171.9.static.ttnet.com.tr anywhere tcp dpt:smtp
DROP tcp -- 78.186.171.9.static.ttnet.com.tr anywhere tcp spt:smtp
DROP tcp -- 208-87-35-103.securehost.com anywhere tcp spt:smtp
DROP tcp -- 208-87-35-103.securehost.com anywhere tcp dpt:smtp

--------------------------------------------------------------------------------

But at this moment, that annoying ip (208-87-35-103) stopped trying to make connections.
If it will be back, i will be back here to ask for more help.

Thanks my friend!
Regards

8. Are you using raw IPTABLES or some sort of frontend? Also are you running this firewall on the mail server or a box acting like a router/firewall? This firewall doesn't look good for any server that is connected to the internet.

9. Originally Posted by Lazydog
Are you using raw IPTABLES or some sort of frontend? Also are you running this firewall on the mail server or a box acting like a router/firewall? This firewall doesn't look good for any server that is connected to the internet.
Im running it on a VPS.
Maybe those connection attempts were due to postfix queue, after i restarted the vps
it was cleared and stopped to search that ip.

Im planning to install one or more additional firewall to work with iptables.
Do you recommend some? it maybe arno, fiaif, shorewall, psad, fwsnort, firehol, apf-firewall, mxallowd, ferm, uruk
or its not necessary for now?

Thanks!

10. While most of these are good I prefer CLI and IPTABLES.

11. Originally Posted by Lazydog
While most of these are good I prefer CLI and IPTABLES.
i totally agree w/Lazydog. A front-end firewall is good to set up some standard rules (like let in port 80 and port 22), but then look at your iptables state and modify/append to the rules file that it created. A GUI usually does not have the fine-grained control that the iptables commands themselves grant you.

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•