Block based on the "host" IP instead of the connection IP
Posted: 03 Dec 2012, 03:39
Not sure if the title describes what I mean, so I'll explain.
Lately we are receiving brute force attacks (SMTP) from different spoofed IP addresses, but they all have in common "host" IP, for example:
2012-12-02 09:10:27 login authenticator failed for host100-107-static. 224-95-b. business. telecomitalia. it ([192.168.2.33]) [95.224.107.100]: 535 Incorrect authentication data (set_id=scan)
2012-12-02 10:52:33 login authenticator failed for static-50-34-10-50. evrt. wa. frontiernet. net ([192.168.2.33]) [50.34.10.50]: 535 Incorrect authentication data (set_id=alexander)
2012-11-23 19:43:54 login authenticator failed for cpe-120-146-193-153. static. vic. bigpond. net. au ([192.168.2.33]) [120.146.193.153]: 535 Incorrect authentication data (set_id=rivera)
2012-11-24 02:51:28 login authenticator failed for ([192.168.2.33]) [95.61.84.31]: 535 Incorrect authentication data (set_id=harold)
2012-11-24 01:14:03 login authenticator failed for 75-151-109-166-washington. hfc. comcastbusiness. net ([192.168.2.33]) [75.151.109.166]: 535 Incorrect authentication data (set_id=william)
Checking our logs I see that the same computer 192.168.2.33 has been attacking us for about a month, and even though our server does block the spoofed IPs it would be great if we could add (even manually) to the firewall a rule to block anything coming from 192.168.2.33 (probably just a temporary block, but for a longer period than the regular temporary blocks).
I understand that there could be many users with that host IP and blocking it might create some complaints, but on the other hand it could help us find a virus infected machine...
What do you think?
Ilan
Lately we are receiving brute force attacks (SMTP) from different spoofed IP addresses, but they all have in common "host" IP, for example:
2012-12-02 09:10:27 login authenticator failed for host100-107-static. 224-95-b. business. telecomitalia. it ([192.168.2.33]) [95.224.107.100]: 535 Incorrect authentication data (set_id=scan)
2012-12-02 10:52:33 login authenticator failed for static-50-34-10-50. evrt. wa. frontiernet. net ([192.168.2.33]) [50.34.10.50]: 535 Incorrect authentication data (set_id=alexander)
2012-11-23 19:43:54 login authenticator failed for cpe-120-146-193-153. static. vic. bigpond. net. au ([192.168.2.33]) [120.146.193.153]: 535 Incorrect authentication data (set_id=rivera)
2012-11-24 02:51:28 login authenticator failed for ([192.168.2.33]) [95.61.84.31]: 535 Incorrect authentication data (set_id=harold)
2012-11-24 01:14:03 login authenticator failed for 75-151-109-166-washington. hfc. comcastbusiness. net ([192.168.2.33]) [75.151.109.166]: 535 Incorrect authentication data (set_id=william)
Checking our logs I see that the same computer 192.168.2.33 has been attacking us for about a month, and even though our server does block the spoofed IPs it would be great if we could add (even manually) to the firewall a rule to block anything coming from 192.168.2.33 (probably just a temporary block, but for a longer period than the regular temporary blocks).
I understand that there could be many users with that host IP and blocking it might create some complaints, but on the other hand it could help us find a virus infected machine...
What do you think?
Ilan