Help on Brute Force attacks

TestUser

Verified User
Joined
Aug 26, 2011
Messages
215
Hi...
in last coupple of days i got A LOT of bruteforce attacks on my server
From: 209.85.X.X
The hing is... they atack 1-3 x from same IP... so it's hard to block IP if there is only 1-3 atacks from same IP
Any idea how can i manage this?

Can i maybe block 209.85.X.X
in my iptables???
How??
Is this smart??
 
This command will block IPs from several big vendors, including Softlayer, Google, etc. I would not do this.

iptables -A INPUT -s 209.85.0.0/16 -j DROP
You will have to add the rule to your firewall rules that load on boot too.

I, however, see more Google IP accessing email accounts of customers. Some add their email accounts to Google account, some not, but this issue is spreading over multiple accounts. Anyone else sees this on your servers?
 
209.85.0.0/16 == 209.85.0.0 => 209.85.255.255
209.85.128.0/17 == 209.85.128.0 => 209.85.255.255

NetName: GOOGLE
NetHandle: NET-209-85-128-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
RegDate: 2006-01-13
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-209-85-128-0-1

It has nothing to do with google and who cares if it blocks softlayer. Its nothing but an abusive network anyways.
 
No, it's not indexing. Here is a log from BFM

Mar 20 23:20:12 <mail-server-name> dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<customer-email-address>, method=PLAIN, rip=209.85.216.31, lip=<mail-server-ip>

And it's happening with multiple users on different servers.

Are you sure it's not Google indexing your site(s)?
Jeff
 
Is it always the same user (customer-email-address)? Does GMail offer a way to check for mail in other accounts from your GMail account? Have you asked the user(s) to find out if he/she/they are trying to check mail on your server from inside a GMail account (they could have simply typed in the wrong password)?

Otherwise it could be a new kind of DOS attack.

Once you've made sure it's not something your email user has done, then you can contact Google's abuse contact for the IP#s attacking you. They're required to have one, and maintain it, and respond to abuse reports, by ARIN.

And they do. From your server command line do a whois lookup on one of those IP#s (I did it on the rip [remote IP number] from your report above). Note you may need to install the whois package on your server as most web-based whois sysems don't know how to do whois lookups on IP#s, or you can use ARIN's whois lookup.
Code:
$ whois 209.85.216.31 | grep -i abuse
The response I got was:
Code:
OrgAbuseHandle: ZG39-ARIN
OrgAbuseName:   Google Inc
OrgAbusePhone:  +1-650-253-0000 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    http://whois.arin.net/rest/poc/ZG39-ARIN
Or of course go to the OrgAbuseRef page, which gives the same information.

Jeff
 
Well... if it's happening with one account, it's understandable. However, as said above, it's happening with multiple accounts, on different servers. Even in both of our data centers. I double checked with some customers, and they don't add their email accounts to google account. They even don't know about Google account yet :)

Will try to contact Google Abuse. Just wondering if someone else sees the same issue.

Thanks.
 
Well... if it's happening with one account, it's understandable. However, as said above, it's happening with multiple accounts, on different servers. Even in both of our data centers. I double checked with some customers, and they don't add their email accounts to google account. They even don't know about Google account yet :)

Will try to contact Google Abuse. Just wondering if someone else sees the same issue.

Thanks.

We have the same issue here with multiple accounts. Some users configure their pop accounts into Gmail but even if the pop account password was changed, the Google tries to connect with the wrong username/password indefinitely, and the BFD complains with Google IPs. Have you contacted the Google Abuse dept.? Any news?
 
No luck in contact with Google. I tried to send several emails to their abuse, also NOC, but automated message returns said I will need to contact them through contact form. But no contact form link included. Anyone here to know how to contact them?
 
Back
Top