05-27-2003 11:00 AM - edited 02-20-2020 09:21 PM
Basically, I am getting attacked by a massive spammer. I have managed to deny him access to our email server, however, his repeated attempts to connect to the same server is filling our email log file. What I would like to do is set up a block for his specific IP address in our 2621 router. I have tried a couple of different combinations using access-list, but to no avail. Can anyone suggest something? Thanks!
Joe
Solved! Go to Solution.
05-27-2003 11:14 AM
Joe,
If you know the attack is coming from a particular ip address, you can create an extended acccess-list and deny that ip.
access-list 101 deny ip host attacker_ip_address host e-mail_server_ip
If the source ip address is random then you need to put a sniffer or take a look into the syslog to find out if there is any identifying pattern like specific string. Then you can configure NBAR on the router to mark the packet and then drop the packets.
Here is a link that explains the procedure:
Thanks,
Mynul
05-27-2003 11:10 AM
Probably this query is in the wrong discussion-group since there is noting to do with firewalling in this. anyway,
1. I am not sure whether this is the right-way to do it since you will be blocking all traffic from that mail -server. May not be important to you (your company)
2. Look at the MX entry for the mail-domain in question (nslookup-->set type =MX--> <
Hope this helps
Best regards / Sampath.
05-27-2003 11:14 AM
Joe,
If you know the attack is coming from a particular ip address, you can create an extended acccess-list and deny that ip.
access-list 101 deny ip host attacker_ip_address host e-mail_server_ip
If the source ip address is random then you need to put a sniffer or take a look into the syslog to find out if there is any identifying pattern like specific string. Then you can configure NBAR on the router to mark the packet and then drop the packets.
Here is a link that explains the procedure:
Thanks,
Mynul
05-27-2003 11:27 AM
Thanks Mynul, that was exactly what I was looking for. I discovered my error after you typed it out, I had forgotten the "host" switch.
The spammer is coming from the domain "pretzelmail.com" and always from the same IP address. I know for sure there is no company needed data coming through :P Thanks for the lookout though, Sampath!
05-27-2003 12:55 PM
Oh man, it didn't work as he is still getting through. Two questions:
1. Do I need to apply the access-list to my adapter? Or is it automatically assigned?
2. Here is a snippit of my current Access-lists. It's very small because I am just now learning to use them:
Extended IP access list 101
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 (8 matches)
permit ip 192.168.0.0 0.0.255.255 any (455048 matches)
Extended IP access list 105
permit icmp any any echo-reply
permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute
permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big
permit tcp any host 192.168.2.101 eq smtp
permit tcp any host xx.xxx.xxx.xx eq smtp
permit tcp any host 192.168.2.101 eq pop3
permit tcp any host xx.xxx.xxx.xx eq pop3
deny ip host 207.134.171.15 host 192.168.2.101
deny ip host 207.134.171.15 host xx.xx.xxx.xx
The last two lines are what I just added to block the spammer. Does the line to permit any tcp tp my mail server using smtp override the all out deny of that particular IP?
Thanks in advance
Joe
05-27-2003 01:01 PM
Joe,
With the above config in place, only smtp/pop3 are allowed to 192.168.2.101 and that is open for anyone including the hacker. So, if the hacker is launching the attack on these two ports, then you need move these two lines above your permit. I would rather put it on the top of the list. Yes, you are right the permit tcp will override this provided that the attack is coming on smtp and/or pop3. Where is the extended acl applied? Thanks,
Mynul
05-27-2003 01:22 PM
Ok, forgive me for being a noobie, he, but I am just learning how to use this firewall stuff. Here is a copy of my entire config, with the private info blurted out. I changed the access-list for my two deny statements to 104 and assigned 104 to fastethernet0/0.10 inbound. Any input you can give me would be very much appreciated:
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
logging buffered 4096 debugging
enable secret
!
memory-size iomem 10
ip subnet-zero
no ip source-route
!
!
!
ip inspect name OUT ftp
ip inspect name OUT smtp
ip inspect name OUT tftp
ip inspect name OUT rcmd
ip inspect name OUT tcp
ip inspect name OUT udp
ip inspect name OUT http
ip audit attack action alarm drop reset
ip audit notify log
ip audit po max-events 100
ip audit smtp spam 5
ip audit name TEST info action alarm
ip audit name TEST attack action alarm drop reset
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation isl 1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/0.2
encapsulation isl 2
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/0.3
encapsulation isl 3
ip address 192.168.3.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/0.4
encapsulation isl 4
ip address 192.168.4.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/0.5
encapsulation isl 5
ip address 192.168.5.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/0.6
encapsulation isl 6
ip address 192.168.6.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/0.7
encapsulation isl 7
ip address 192.168.7.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/0.8
encapsulation isl 8
ip address 192.168.8.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/0.9
encapsulation isl 9
ip address 192.168.9.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet0/0.10
description DSL to Internet
encapsulation isl 10
ip address xx.xxx.xxx.xx 255.255.255.248
ip access-group 104 in
no ip redirects
ip nat outside
ip inspect OUT out
ip audit TEST in
!
ip nat inside source list 101 interface FastEthernet0/0.10 overload
ip nat inside source static tcp 192.168.2.101 25 xx.xxx.xxx.xx 25 extendable
ip nat inside source static tcp 192.168.2.101 110 xx.xxx.xxx.xx 110 extendable
ip nat inside source static tcp 192.168.2.101 80 xx.xxx.xxx.xx 80 extendable
ip nat inside source static 192.168.2.5 xx.xxx.xxx.xx
ip nat inside source static 192.168.2.250 xx.xxx.xxx.xx
ip classless
ip route 0.0.0.0 0.0.0.0 63.224.231.70
no ip http server
!
access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip host 207.134.171.15 host 192.168.2.101
access-list 104 deny ip host 207.134.171.15 host xx.xxx.xxx.xx
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute
access-list 105 permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big
access-list 105 permit tcp any host 192.168.2.101 eq smtp
access-list 105 permit tcp any host xx.xxx.xxx.xx eq smtp
access-list 105 permit tcp any host 192.168.2.101 eq pop3
access-list 105 permit tcp any host xx.xxx.xxx.xx eq pop3
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password
login
!
end
05-27-2003 03:36 PM
Hi, execute the following lines on the router:
interface FastEthernet0/0.10
no ip access-group 104 in
no access-list 104
no access-list 105
access-list 105 deny ip host 207.134.171.15 host 192.168.2.101
access-list 105 deny ip host 207.134.171.15 host xx.xxx.xxx.xx
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute
access-list 105 permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big
access-list 105 permit tcp any host 192.168.2.101 eq smtp
access-list 105 permit tcp any host xx.xxx.xxx.xx eq smtp
access-list 105 permit tcp any host 192.168.2.101 eq pop3
access-list 105 permit tcp any host xx.xxx.xxx.xx eq pop3
interface FastEthernet0/0.10
ip access-group 105 in
Thanks,
Mynul
05-28-2003 06:40 AM
That did it. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide