While reviewing logs on the email server I noticed 220.127.116.11 trying to authenticate via SASL.
This is not a normal IP that would be relaying email through the server, so I decided to block it at the firewall.
Undoubtedly, someone was trying to relay spam, whether they were aware or not.
First, I logged into my firewall via ssh to get a rule in place immediately:
iptables -I CHAIN -s 18.104.22.168 -j DROP
Listing the rules:
iptables -L --line-number
1 DROP 0 — ppp-22.214.171.124.revip.proen.co.th anywhere
Shows the new rule at the top of the chain. Exactly where I need it.
I decided to start firewalling all my internal servers… Ok, what that really means is I decided to try it out on a junk box.
I went for the complete “nothing in, nothing out unless I expressly permitted it” approach. Below is what I came up with (with some help from the LUG).
# Setup variables
# Flush all chains
# Set default policies
/sbin/iptables –policy INPUT DROP
/sbin/iptables –policy OUTPUT DROP
/sbin/iptables –policy FORWARD DROP