Hello, The last two days I noticed an unusual trafic to my server. Can someone tell me what is all these connections to 88.218.110.178? 88.218.110.178 is only set as an A record for ns1. How smtp connections is possible? My IP addresses are: 88.218.110.178 - 179 for ns1 & ns2 nameservers 88.218.110.180 for mail server and mydomain 88.218.110.181 is a shared IP for some other domains Thank you Code: [[email protected] ~]# netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:mysql *:* LISTEN 2285/mysqld tcp 0 0 *:sunrpc *:* LISTEN 2003/portmap tcp 0 0 *:ndmp *:* LISTEN 13551/perl tcp 0 0 *:hosts2-ns *:* LISTEN 2632/ispconfig_http tcp 0 0 88.218.110.181:domain *:* LISTEN 21949/named tcp 0 0 host1.vfxhost.gr:domain *:* LISTEN 21949/named tcp 0 0 88.218.110.179:domain *:* LISTEN 21949/named tcp 0 0 88.218.110.178:domain *:* LISTEN 21949/named tcp 0 0 localhost.localdomai:domain *:* LISTEN 21949/named tcp 0 0 *:squid *:* LISTEN 332/(squid) tcp 0 0 *:smtp *:* LISTEN 32609/master tcp 0 0 localhost.localdomain:rndc *:* LISTEN 21949/named tcp 0 0 88.218.110.178:40928 mx1-1.vip.spray.net:smtp TIME_WAIT - tcp 0 0 88.218.110.178:35004 mx2-1.vip.spray.net:smtp TIME_WAIT - tcp 0 0 88.218.110.178:55854 12.102.252.75:smtp ESTABLISHED 1765/smtp tcp 0 1 88.218.110.178:37728 webhosting.mminternet.:smtp SYN_SENT - tcp 0 1 88.218.110.178:37317 136.sabela.pl:smtp SYN_SENT 1538/smtp tcp 0 1 88.218.110.178:35058 smtp1.sandisk.com:smtp SYN_SENT 1492/smtp tcp 0 1 88.218.110.178:35004 smtp1.sandisk.com:smtp SYN_SENT 1867/smtp tcp 0 0 88.218.110.178:32817 63.137.9.204.srv.globa:smtp TIME_WAIT - tcp 0 0 88.218.110.178:34896 mta-v9.mail.vip.mud.ya:smtp ESTABLISHED 1954/smtp tcp 0 0 88.218.110.178:34889 mta-v9.mail.vip.mud.ya:smtp ESTABLISHED 852/smtp tcp 0 0 88.218.110.178:45566 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45516 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45520 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45750 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45753 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45796 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 36 88.218.110.178:45800 mail-3.mminternet.com:smtp ESTABLISHED 1607/scache tcp 0 0 88.218.110.178:45789 mail-3.mminternet.com:smtp ESTABLISHED 1500/smtp tcp 0 0 88.218.110.178:45621 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45626 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45624 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45598 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45599 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45686 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45690 mail-3.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:45991 mail-3.mminternet.com:smtp ESTABLISHED 1759/smtp tcp 0 0 88.218.110.178:46006 mail-3.mminternet.com:smtp ESTABLISHED 1539/smtp tcp 0 0 88.218.110.178:45974 mail-3.mminternet.com:smtp ESTABLISHED 2007/smtp tcp 0 0 88.218.110.178:45858 mail-3.mminternet.com:smtp ESTABLISHED 1545/smtp tcp 0 0 88.218.110.178:45891 mail-3.mminternet.com:smtp ESTABLISHED 1494/smtp tcp 0 1 88.218.110.178:53032 243.54.62.200.hosts.if:smtp SYN_SENT 1533/smtp tcp 0 1 88.218.110.178:53018 243.54.62.200.hosts.if:smtp SYN_SENT 1501/smtp tcp 0 0 88.218.110.178:33744 mta-v9.mail.vip.mud.ya:smtp TIME_WAIT - tcp 0 0 88.218.110.178:47537 mail.cccusa.net:smtp TIME_WAIT - tcp 0 0 88.218.110.178:42737 mail-1.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:42743 mail-1.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:42745 mail-1.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:42727 mail-1.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:42729 mail-1.mminternet.com:smtp TIME_WAIT - tcp 0 35 88.218.110.178:42925 mail-1.mminternet.com:smtp ESTABLISHED 1521/smtp tcp 0 0 88.218.110.178:42996 mail-1.mminternet.com:smtp ESTABLISHED 1518/smtp tcp 0 0 88.218.110.178:42975 mail-1.mminternet.com:smtp ESTABLISHED 1866/smtp tcp 0 0 88.218.110.178:42800 mail-1.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:42868 mail-1.mminternet.com:smtp TIME_WAIT - tcp 0 34 88.218.110.178:42856 mail-1.mminternet.com:smtp ESTABLISHED 1515/smtp tcp 0 0 88.218.110.178:42863 mail-1.mminternet.com:smtp ESTABLISHED 1467/smtp tcp 0 0 88.218.110.178:42846 mail-1.mminternet.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:55800 194.158.121.25:smtp TIME_WAIT - tcp 0 0 88.218.110.178:43011 mail-1.mminternet.com:smtp ESTABLISHED 1536/smtp tcp 0 0 88.218.110.178:43009 mail-1.mminternet.com:smtp ESTABLISHED 1468/smtp tcp 0 0 88.218.110.178:42399 smtp-in.orange.fr:smtp TIME_WAIT - tcp 0 0 88.218.110.178:34524 indignant.cnc.net:smtp TIME_WAIT - tcp 0 0 88.218.110.178:34973 barracuda2.viawest.net:smtp TIME_WAIT - tcp 0 0 host1.vfxhost.gr:hosts2-ns ppp34-141.adsl.forthn:64053 ESTABLISHED 2639/ispconfig_http tcp 0 0 88.218.110.178:39752 mta-v2.mail.vip.re3.ya:smtp ESTABLISHED 1529/smtp tcp 0 1 88.218.110.178:49753 venus.dreamam.com:smtp SYN_SENT 1519/smtp tcp 0 0 88.218.110.178:43725 ftp.access-bank.com:smtp TIME_WAIT - tcp 0 0 88.218.110.178:43949 ftp.access-bank.com:smtp TIME_WAIT - tcp 0 1 88.218.110.178:51353 mail-2.mminternet.com:smtp SYN_SENT - tcp 0 1 88.218.110.178:51343 mail-2.mminternet.com:smtp SYN_SENT - tcp 0 1 88.218.110.178:51388 mail-2.mminternet.com:smtp SYN_SENT - tcp 0 1 88.218.110.178:51385 mail-2.mminternet.com:smtp SYN_SENT - tcp 0 1 88.218.110.178:51376 mail-2.mminternet.com:smtp SYN_SENT - tcp 0 1 88.218.110.178:51375 mail-2.mminternet.com:smtp SYN_SENT - tcp 0 1 88.218.110.178:51363 mail-2.mminternet.com:smtp SYN_SENT - tcp 0 1 88.218.110.178:51295 mail-2.mminternet.com:smtp SYN_SENT 1762/smtp tcp 0 1 88.218.110.178:51265 mail-2.mminternet.com:smtp SYN_SENT 1527/smtp tcp 0 1 88.218.110.178:51250 mail-2.mminternet.com:smtp SYN_SENT 1610/smtp tcp 0 1 88.218.110.178:51242 mail-2.mminternet.com:smtp SYN_SENT 1513/smtp tcp 0 0 88.218.110.178:39845 mx3.earthlink.net:smtp ESTABLISHED - . . . tcp 0 0 *:imaps *:* LISTEN 2308/dovecot tcp 0 0 *:pop3s *:* LISTEN 2308/dovecot tcp 0 0 *:pop3 *:* LISTEN 2308/dovecot tcp 0 0 *:imap *:* LISTEN 2308/dovecot tcp 0 0 *:http *:* LISTEN 27621/httpd tcp 0 0 *:ftp *:* LISTEN 18290/proftpd: (acc tcp 0 0 *:ssh *:* LISTEN 2176/sshd tcp 0 0 ::1:rndc *:* LISTEN 21949/named tcp 0 0 *:https *:* LISTEN 27621/httpd tcp 0 0 ::ffff:88.218.110.181:http livebot-65-54-188-13.:43408 TIME_WAIT - tcp 0 888 host1.vfxhost.gr:ssh ppp34-141.adsl.forthn:64052 ESTABLISHED 2427/2 tcp 0 0 ::ffff:88.218.110.181:http livebot-65-54-188-13.:43598 TIME_WAIT -
Looks like somebody is trying to mail bomb you. If the sending IP address/domain is not delivering valid emails, I'd consider firewalling the *.mminternet.com addresses. It's now using your resources. mminternet.com is an (a)DSL provider and I guess they have a zombie botnet in their address space. You can consider contacting them.
I retrive a rejected mail today. It say that my IP address 88.218.110.178 is black listed. How can this happened? My mail server is not open rellay and I have do everything I know to protect it. Is this isue relayted to mminternet.com? this is my etc/postfix/main.cf (for mail.v f x h o s t.gr) Can I do something more here to improve security? Code: smtpd_helo_required = yes disable_vrfy_command = yes command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.2.8/samples readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination smtpd_data_restrictions = reject_unauth_pipelining smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom mailbox_command = virtual_maps = hash:/etc/postfix/virtusertable mydestination = /etc/postfix/local-host-names maximal_queue_lifetime = 2d
Please run Code: postconf -e 'mynetworks = 127.0.0.0/8' /etc/init.d/postfix restart to make sure that only localhost can send without authentication. Then check if your server is an open relay. If it isn't contact the maintainer of the blacklist and ask him to be removed.
Hello falko, I edited the configuration for mynetworks but the problem remain. To many smtp connections from diferent hosts. I checked the relay here: http://www.antispam-ufrj.pads.ufrj.br/cgi-bin/test-relay.cgi?host_to_test=88.218.110.180 Any good server security how-to? Thank you
This is a part of my logs. What is going on? I am not a spammer!! EDIT --- I had to shut down postfix until solve the problem
Is it possible that one or more of your users have weak passwords that got cracked by spammers? I think it's a good idea to change all passwords. The test is ok.
I'm afraid changing all passwords is not possible. Is there any way to find which accound is spamming? Looking at postfix users from webmin I found "shutdown, ftp, apache, daemon..." Is it possible this accouns to be used by hackers? What is this?
Only by looking at the mail log. Please check if your server got hacked: http://www.howtoforge.com/faq/1_38_en.html
The sender (maybe a spammer) didn't specify a sender address. If you can't find a hint which account is used to send spam, I'm afraid the only solution is to change all passwords.