Facebook
Twitterblackcapsteve
New Pleskian
Hi
After a serious breach in a customers email, I started to analyze just who was trying to send emails through my system - The mail log is very complex, and I am a programmer on windows, so I started to download the log and analyze it inside a database.
The results were startling - Day One - 34,000 attempts send emails via my server.
I started to analyze the IP addresses and also used a database to pinpoint the countries..
Using my firewall I started to block individual IP's who rose to the top of my offenders list. It seems that the robots are clever. There are multiple single attempts from individual IP's (so as not to wake up Fail2ban - which I haven't installed).
I have started to become more brave by knocking out whole sections of the Internet..
I have been running my analysis for 22 days now and 192.0.0.0/8 has hit me 58,783 times. I shut it down days ago, but yesterday - after adding another range I got distracted straight after the 'Updating changes screen..' and left it an hour before I pressed 'activate'. In that time 400 hits from 192 came through.
Advice? - Sit and wait !
I wonder - If I also add the banned records to my IPTABLES, are they in place whilst my firewall is down?
I can find nobody who can help me understand how to add records to my firewall en masse (as I have been laboriously cutting and pasting), but I can write a batch file for IPTABLES from the scan results
Any help appreciated.
regards
Steve
p.s. - How am I doing? Hit rate hovers around 350 to 900 per day, but I am able to snuff out the new IP's as they arrive, and haven't finished with the range work yet.
After a serious breach in a customers email, I started to analyze just who was trying to send emails through my system - The mail log is very complex, and I am a programmer on windows, so I started to download the log and analyze it inside a database.
The results were startling - Day One - 34,000 attempts send emails via my server.
I started to analyze the IP addresses and also used a database to pinpoint the countries..
Using my firewall I started to block individual IP's who rose to the top of my offenders list. It seems that the robots are clever. There are multiple single attempts from individual IP's (so as not to wake up Fail2ban - which I haven't installed).
I have started to become more brave by knocking out whole sections of the Internet..
I have been running my analysis for 22 days now and 192.0.0.0/8 has hit me 58,783 times. I shut it down days ago, but yesterday - after adding another range I got distracted straight after the 'Updating changes screen..' and left it an hour before I pressed 'activate'. In that time 400 hits from 192 came through.
Advice? - Sit and wait !
I wonder - If I also add the banned records to my IPTABLES, are they in place whilst my firewall is down?
I can find nobody who can help me understand how to add records to my firewall en masse (as I have been laboriously cutting and pasting), but I can write a batch file for IPTABLES from the scan results
Any help appreciated.
regards
Steve
p.s. - How am I doing? Hit rate hovers around 350 to 900 per day, but I am able to snuff out the new IP's as they arrive, and haven't finished with the range work yet.
