Today, we found that the Qmail mail system's maillog contains a large amount of "user not found" information, which is not difficult to find through the following logs, it is the information that fails to authenticate the Qmail email system for many different users from the same IP address. Hackers try to crack the user name and password of the Qmail system in this way to send a large number of spam and virus emails.
A large number of concurrent connections consume the performance of the Qmail system. Even in severe cases, normal mail cannot be sent or received, that is, connection SMTP timeout occurs. You can use Linux Iptables to block these IP addresses. The following is my Iptables script. If any error occurs, please correct it.
The logic structure of the script is roughly: analyze the maillog of the statistical system, retrieve the attacker's IP address, and then use the Iptables script (iptables. sh) for comparison, if the IP address is not in iptables. sh, add a DROP policy to iptables. sh, then send an email to the system administrator and reload iptables. sh.
Run the script manually.
[Root @ mail sh] # sh add_badip_iptables.sh
Added the attacked IP address information in the "Modify Your badip.txt" file.
View the system administrator's mailbox and receive the user's alarm email.
At the same time, we found that the Iptables. sh script file also successfully added the DROP record.
Finally, use iptables-L to check whether these IP addresses have been successfully added to the Iptables firewall policy of the Linux system and dropped.
Finally, add crontab, which is automatically executed every 10 minutes.
Conclusion: We recommend that you take such preventive measures on all email systems. In addition, the mail O & M personnel should try to avoid test, salse when setting the email user name, usernames such as test01 are easily guessed by hackers. At the same time, the mailbox password should be in combination with uppercase, lowercase, numbers, and special characters.
Reprinted: simple dream chaser blog