ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

how to block this kind of attack

https://mail.forum.configserver.com/viewtopic.php?t=8847

Page 1 of 1

how to block this kind of attack

Posted: 21 Jul 2015, 15:01
by hostmach
Hello guys,

Recently one of my shared servers received several hits from 2 or 3 IP addresses, these hits increased server load average to a huge number, I will paste the output kernel messages I got at the console while under this attack, what csf option would help me prevent this kind of attack? (ports 585 and 1270 are not allowed under tcp in csf configuration option):

Jul 3 18:58:34 gilmour kernel: [87017.722237] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=189.45.204.218 DST=xxxxxxxxx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=1446 DF PROTO=TCP SPT=18330 DPT=1270 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 3 18:58:37 gilmour kernel: [87020.721475] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=189.45.204.218 DST=xxxxxxxxx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=1641 DF PROTO=TCP SPT=18330 DPT=1270 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 3 18:58:56 gilmour kernel: [87039.727261] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=189.45.204.218 DST=xxxxxxxxx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=2756 DF PROTO=TCP SPT=18330 DPT=1270 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 3 18:58:59 gilmour kernel: [87042.723871] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=189.45.204.218 DST=xxxxxxxxx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=2927 DF PROTO=TCP SPT=18330 DPT=1270 WINDOW=8192 RES=0x00 SYN URGP=0

Jul 10 09:52:00 gilmour kernel: [ 1108.768284] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=179.222.134.125 DST=xxxxxxxxx LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=8333 DF PROTO=TCP SPT=41336 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 10 09:52:02 gilmour kernel: [ 1110.770325] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=179.222.134.125 DST=xxxxxxxxx LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=8337 DF PROTO=TCP SPT=41336 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 10 09:52:17 gilmour kernel: [ 1125.734031] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=179.222.134.125 DST=xxxxxxxxx LEN=48 TOS=0x00 PREC=0x00 TTL=50 ID=8347 DF PROTO=TCP SPT=41335 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 10 09:52:17 gilmour kernel: [ 1125.773136] Firewall: *TCP_IN Blocked* IN=bond1 OUT= MAC=xxxxxxxxxxxxxx SRC=179.222.134.125 DST=xxxxxxxxx LEN=48 TOS=0x00 PREC=0x00 TTL=50 ID=8348 DF PROTO=TCP SPT=41336 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0

Re: how to block this kind of attack

Posted: 22 Jul 2015, 14:39
by Sergio
Secure IMAP (IMAP4-SSL) - port 585

Outlook or Apple Mail tries to connect to this port by default when configuring email. So, if you don't want to open that port just add it to the DROP_NOLOG option.

Microsoft Operations Manager 2000 - port 1270
As before, as the port is blocked in CSF add this port to the DROP_NOLOG option.

On the other hand, when posting try to hide the DST IP as that is the IP of your server.

Sergio

Re: how to block this kind of attack

Posted: 06 Dec 2015, 21:03
by nootkan
Sergio, how many ports can we add to the DROP_NOLOG option without affecting server performance?

Re: how to block this kind of attack

Posted: 14 Jun 2018, 22:10
by David Luiz
This is also a common problem for the Mac users. I suggest you use a proxy server. Use any VPN which hides your actual IP and shows a dummy or other residential IP. Apple Support USA might help further.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited