Not sure if the title describes what I mean, so I'll explain.
Lately we are receiving brute force attacks (SMTP) from different spoofed IP addresses, but they all have in common "host" IP, for example:
2012-12-02 09:10:27 login authenticator failed for host100-107-static. 224-95-b. business. telecomitalia. it ([192.168.2.33]) [95.224.107.100]: 535 Incorrect authentication data (set_id=scan)
2012-12-02 10:52:33 login authenticator failed for static-50-34-10-50. evrt. wa. frontiernet. net ([192.168.2.33]) [50.34.10.50]: 535 Incorrect authentication data (set_id=alexander)
2012-11-23 19:43:54 login authenticator failed for cpe-120-146-193-153. static. vic. bigpond. net. au ([192.168.2.33]) [120.146.193.153]: 535 Incorrect authentication data (set_id=rivera)
2012-11-24 02:51:28 login authenticator failed for ([192.168.2.33]) [95.61.84.31]: 535 Incorrect authentication data (set_id=harold)
2012-11-24 01:14:03 login authenticator failed for 75-151-109-166-washington. hfc. comcastbusiness. net ([192.168.2.33]) [75.151.109.166]: 535 Incorrect authentication data (set_id=william)
Checking our logs I see that the same computer 192.168.2.33 has been attacking us for about a month, and even though our server does block the spoofed IPs it would be great if we could add (even manually) to the firewall a rule to block anything coming from 192.168.2.33 (probably just a temporary block, but for a longer period than the regular temporary blocks).
I understand that there could be many users with that host IP and blocking it might create some complaints, but on the other hand it could help us find a virus infected machine...
What do you think?
Ilan
Block based on the "host" IP instead of the connection IP
Re: Block based on the "host" IP instead of the connection I
Hey Ilan
adding to this, I to am having a similar prob our logs and email are being filled with hundreds of errors a day and is permanently blocking valid connection ip addresses which I manually remove. I have been manually blocking the host ip's and am wondering what else I can do to have the host ip blocked instead of the connection ip automatically
2012-12-07 10:50:56 SMTP connection from ([10.194.151.188]) [1.135.4.158]:57418 lost
2012-12-07 10:50:59 dovecot_plain authenticator failed for ([10.194.151.188]) [1.135.4.158]:57419: 535 Incorrect authentication data (set_id=.......)
adding to this, I to am having a similar prob our logs and email are being filled with hundreds of errors a day and is permanently blocking valid connection ip addresses which I manually remove. I have been manually blocking the host ip's and am wondering what else I can do to have the host ip blocked instead of the connection ip automatically
2012-12-07 10:50:56 SMTP connection from ([10.194.151.188]) [1.135.4.158]:57418 lost
2012-12-07 10:50:59 dovecot_plain authenticator failed for ([10.194.151.188]) [1.135.4.158]:57419: 535 Incorrect authentication data (set_id=.......)