服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 成千上万的25端口连接
Intereting Posts
是使用一个单一的VPS主办的网站和游戏好吗? 新build的Win7工作站无法看到DC(服务器2k8),但可以看到DHCP /networking就好了 确定集线器上的端口是否正常工作的合理testing rsync不会同步文件 存储机箱机架位置 如何将存储添加到虚拟机,以便添加的存储专用于新的目录? 如何使用ufw做端口转发? 远程查找registry子文件夹中的registry项 垃圾邮件 – 个人用户 XenServer 6.5 – 无法创buildUbuntu 10.04 guest 在Solaris 5.10中安装zeromq for logstash SQL Server 2008与Windows Server 2008 R2缓慢 Apache 2.4用“403 Forbidden”回复CGI脚本,我的configuration看起来不错 TCP端口> 1023或TCP端口> 1024入站被动FTPstream量? 永久禁用SeLinux

成千上万的25端口连接

今晚有几个IP地址在邮件服务器的端口25上build立了近2500个连接。 2500是最大限制,50个或更less的同时连接是正常的。 一旦他们build立了联系,他们什么也没做。 IP地址属于Facebook发送邮件服务器,但当然可能是伪造的。 有没有人有这样的经验? 有没有一种很好的方法来防止它发生? 

"TCPIP" 3808 "2013-04-12 21:37:19.787" "TCP - 66.220.155.135 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.787" "TCP - 66.220.155.137 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.819" "TCP - 66.220.144.163 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.819" "TCP - 66.220.144.137 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 69.171.232.166 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 66.220.155.138 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 66.220.155.154 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 66.220.144.150 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 66.220.155.161 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 66.220.155.157 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 69.171.232.142 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 66.220.155.152 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.928" "TCP - 66.220.155.147 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.928" "TCP - 66.220.155.139 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.928" "TCP - 66.220.155.161 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.943" "TCP - 66.220.155.154 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.943" "TCP - 66.220.155.159 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.959" "TCP - 66.220.144.166 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.975" "TCP - 66.220.144.155 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:19.990" "TCP - 69.171.232.163 connected to 12.186.192.3:25." "TCPIP" 3808 "2013-04-12 21:37:20.006" "TCP - 66.220.155.147 connected to 12.186.192.3:25."

既然你可以告诉服务器属于谁:

  1. 拿一个tcpdump显示连接build立和初始交换与您的邮件服务器
  2. 写邮件给维护服务器的组织的滥用/技术联系人
  3. 限制来自“麻烦”服务器的传入连接到一个合理的价值,这样他们不会削弱您接收其他邮件的能力
  4. 例如通过重新启动邮件服务器来中断“挂起”连接
  5. 通知用户有关从@ facebook.com发送的邮件可能迟到或根本没有问题的事实,只要问题没有解决

看起来你的smtp服务器受到某种拒绝服务攻击,源IP很可能是伪造的,也就是欺骗(如果我是DoS攻击服务器的话,我会的)。 最好的策略是部署IP过滤来阻止这些地址,直到攻击消失。