Hi guys, I'm getting a lot of smtp brute force attacks lately and on my /var/log/secure logs they don't even list the IP of the person trying the attacks. They look like this : What's the best way to block these attacks? Thanks
If you know the IP of the attacker, you might use this command: /sbin/route add -host 123.123.123.123 reject
Till, how do I find out the IP? Normally I also see the IP on the log file, but for these there's nothing. Thanks
I saw this post so I put up my notes. It's not a full howto, but it's close. I run ISPC on Centos 5.2. http://www.sonoracomm.com/support/18-support/228-fail2ban G
Thanks for that, I would have helped a couple weeks ealier as I finally took the plunge and installed fail2ban. It's been working great since as far as I can tell. Only banned 2 people, but haven't had much brute force attacks since I've installed. As far as I can tell it's stopped the only 2 I've got. This may be also because I've done some other stuff to secure the server too, like change ports for SSH.
I'd suggest installing ossec and allow it to handle hosts.deny file and firewall which means stuff like this will be automaticlly stopped.
I have fail2ban on 3 servers. They all have SSH, two have web servers and one has mail and ftp as well. I have 250 or more bans every day between the 3 servers! G
Blocking SMTP authentication brute force attacks using Fail2Ban http://theether.net/kb/100141 Cheers, Jamie.
There seems to be something wrong with one of your network interfaces. Did you try to reboot the server?
