Author Topic: Setting IPTABLES dan tanya cara mengetahui akun spammer (Read 18338 times)

redpages · « **on:** 2015-04-29, 11:28:42 »

Dear masta,

IP VPS saya kena blokir karena ada aktivitas pengiriman email melewati batas yang dijinkan. Untuk membukanya saya diminta untuk memblok port 25 lewat IPTABLES. Langkah yg diberikannya sebagai berikut:
Step 1: Add iptables rules to Drop port 25
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j DROP

Step 2: Save iptables rules
service iptables save

----
Bagaimana cara menerapkan iptables diatas lewat kloxo MR? dan bagaimana cara mengetahui akun yang digunakan spammer?

Terima kasih atas pencerahannya

MRatWork · « **Reply #1 on:** 2015-04-29, 11:39:02 »

Informasikan hasil 'cat /var/log/maillog|grep PWD'. Jika terlalu besar, ikutkan dalam bentuk attachment saja.

redpages · « **Reply #2 on:** 2015-04-29, 17:31:52 »

Berikut attachnya.

saya ambil sebagian karena terlalu besar untuk disertakan.

MRatWork · « **Reply #3 on:** 2015-04-29, 17:54:48 »

Buat file '/var/qmail/control/badsendmailfrom' dengan isi '/home/zubairit/zubairitrainer.com'.

Atau jalankan saja:

Code: [Select]

echo '/home/zubairit/zubairitrainer.com' > /var/qmail/control/badsendmailfrom
sh /script/restart-mail -y

Amati setelah beberapa waktu maka mestinya jika ada yang kirim mail dari '/home/zubairit/zubairitrainer.com' maka akan ada laporan berupa:

Code: [Select]

Apr 28 07:51:42 server20 root: sendmail: CALLER="" PWD="/home/zubairit/zubairitrainer.com" BAN="yes"
dimana semula adalah:

Code: [Select]

Apr 28 07:51:42 server20 root: sendmail: CALLER="" PWD="/home/zubairit/zubairitrainer.com" BAN="no"

MRatWork · « **Reply #4 on:** 2015-04-29, 17:56:48 »

Oh ya, php type yang anda pakai bukan 'php-fpm_event' ya?.

redpages · « **Reply #5 on:** 2015-04-29, 18:03:46 »

info sysfo

--
[root@server20 ~]# sh /script/sysinfo

A. Kloxo-MR: 6.5.0.f-2014102601

B. OS: CentOS release 6.6 (Final) i686

C. Apps:
1. MySQL: mysql55-5.5.42-1.ius.el6.i686
2. PHP: php54-5.4.39-1.ius.el6.i686
3. Httpd: httpd-2.2.29-1.mr.el6.i386
4. Lighttpd: --uninstalled--
5. Nginx: nginx-1.7.11-1.el6.ngx.i386
6. Qmail: qmail-toaster-1.03-1.3.48.mr.el6.i386
- with: courier-imap-toaster-4.1.2-1.3.18.mr.el6.i386
7. Dns: djbdns-1.05-17.4.mr.el6.i386

D. Php-type (for Httpd/proxy): suphp
---

redpages · « **Reply #6 on:** 2015-04-29, 18:18:21 »

hasilnya sama, masih "NO". cuma kenapa yang tampil hanya merujuk ke akun "zubairit". Apakah ada sesuatu dengan akun tersebut.

---
Apr 29 03:24:42 server20 root: sendmail: CALLER="" PWD="/home/zubairit/zubairitr ainer.com" BAN="no"

MRatWork · « **Reply #7 on:** 2015-04-29, 23:06:51 »

Ada keanehan yang seharusnya 'PWD="/home/zubairit/zubairitrainer.com' tapi di anda ada spasi pada PWD itu. Juga, semestinya CALLER tidak blank. Akibatnya deteksi salah baca. Atau coba isi dengan '/home/zubairit' dan bukan '/home/zubairit/zubairitrainer.com'

redpages · « **Reply #8 on:** 2015-04-30, 00:47:00 »

koq tetap ya. padahal sudah saya restart service all.

--
Apr 29 20:09:00 server20 logger: sendmail: CALLER="" PWD="/home/zubairit/zubairitrainer.com" BAN="no"
--

MRatWork · « **Reply #9 on:** 2015-04-30, 00:52:26 »

Coba ganti suphp ke suphp_event/suphp_worker atau sekalian ke php-fpm_event.

redpages · « **Reply #10 on:** 2015-04-30, 01:10:27 »

sudah. tapi hasilnya tetap
Apr 29 20:09:00 server20 logger: sendmail: CALLER="" PWD="/home/zubairit/zubairitrainer.com" BAN="no"

-
D. Php-type (for Httpd/proxy): php-fpm_event
-

MRatWork · « **Reply #11 on:** 2015-04-30, 01:21:23 »

Infokan 'cat /var/qmail/control/badsendmailfrom; cat /var/qmail/bin/sendmail'

MRatWork · « **Reply #12 on:** 2015-04-30, 01:37:45 »

Ini contoh di server saya:

Code: [Select]

Apr 29 19:28:04 xl1 root: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php54s.ini ../bin/common/background.php /tmp/backgroundkDhj4v" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Apr 29 19:28:04 xl1 send: new msg 124299333
Apr 29 19:28:04 xl1 send: info msg 124299333: bytes 522 from <root@xl1.mratwork.com> qp 2316 uid 0
Apr 29 19:28:04 xl1 send: starting delivery 1: msg 124299333 to remote mustafa@bigraf.com
Apr 29 19:28:04 xl1 send: status: local 0/10 remote 1/60
Apr 29 19:28:05 xl1 send: delivery 1: success: User_and_password_not_set,_continuing_without_authentication./<mustafa@bigraf.com>_74.125.20.26_accepted_message./Remote_host_said:_250_2.0.0_OK_1430350085_qw6si745649pab.54_-_gsmtp/
Apr 29 19:28:05 xl1 send: status: local 0/10 remote 0/60
Apr 29 19:28:05 xl1 send: end msg 124299333
Apr 29 19:31:31 xl1 authlib: INFO: stopping authdaemond children
Apr 29 19:31:31 xl1 send: status: exiting
Apr 29 19:31:33 xl1 authlib: INFO: modules="authvchkpw", daemons=15
Apr 29 19:31:33 xl1 authlib: INFO: Installing libauthvchkpw
Apr 29 19:31:33 xl1 pop3: tcpserver: status: 0/200
Apr 29 19:31:33 xl1 authlib: INFO: Installation complete: authvchkpw
Apr 29 19:31:33 xl1 send: status: local 0/10 remote 0/60
Apr 29 19:31:33 xl1 imap4-ssl: tcpserver: status: 0/40
Apr 29 19:31:33 xl1 pop3-ssl: tcpserver: status: 0/40
Apr 29 19:31:33 xl1 imap4: tcpserver: status: 0/40
Apr 29 19:31:33 xl1 submission: tcpserver: status: 0/100
Apr 29 19:31:33 xl1 smtp: tcpserver: status: 0/100
Apr 29 19:31:33 xl1 smtp-ssl: tcpserver: status: 0/100
Apr 29 19:32:17 xl1 smtp: tcpserver: status: 1/100
Apr 29 19:32:17 xl1 smtp: tcpserver: pid 2837 from 127.0.0.1
Apr 29 19:32:17 xl1 smtp: tcpserver: ok 2837 xl1.mratwork.com:127.0.0.1:25 :127.0.0.1::54347
Apr 29 19:32:17 xl1 smtp: 2837 < [EOF]
Apr 29 19:32:17 xl1 smtp: 2837 > 220 xl1.mratwork.com - Welcome to Qmail ESMTP? 
Apr 29 19:32:17 xl1 smtp: tcpserver: end 2837 status 0
Apr 29 19:32:17 xl1 smtp: tcpserver: status: 0/100
Apr 29 19:32:17 xl1 smtp: 2837 > [EOF]
Apr 29 19:32:27 xl1 authlib: INFO: stopping authdaemond children
Apr 29 19:32:27 xl1 send: status: exiting
Apr 29 19:32:29 xl1 send: status: local 0/10 remote 0/60
Apr 29 19:32:29 xl1 authlib: INFO: modules="authvchkpw", daemons=15
Apr 29 19:32:29 xl1 authlib: INFO: Installing libauthvchkpw
Apr 29 19:32:29 xl1 authlib: INFO: Installation complete: authvchkpw
Apr 29 19:32:29 xl1 pop3: tcpserver: status: 0/200
Apr 29 19:32:29 xl1 imap4-ssl: tcpserver: status: 0/40
Apr 29 19:32:29 xl1 pop3-ssl: tcpserver: status: 0/40
Apr 29 19:32:29 xl1 imap4: tcpserver: status: 0/40
Apr 29 19:32:29 xl1 smtp-ssl: tcpserver: status: 0/100
Apr 29 19:32:29 xl1 smtp: tcpserver: status: 0/100
Apr 29 19:32:29 xl1 submission: tcpserver: status: 0/100
Apr 29 19:33:31 xl1 root: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php54s.ini ../bin/common/background.php /tmp/backgroundAfGK2I" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="yes"

redpages · « **Reply #13 on:** 2015-04-30, 23:49:26 »

berikut

MRatWork · « **Reply #14 on:** 2015-05-01, 05:09:59 »

Yang zubairit sudah kena ban.

Author Topic: Setting IPTABLES dan tanya cara mengetahui akun spammer (Read 18338 times)

redpages

Setting IPTABLES dan tanya cara mengetahui akun spammer

MRatWork

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

redpages

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

MRatWork

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

MRatWork

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

redpages

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

redpages

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

MRatWork

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

redpages

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

MRatWork

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

redpages

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

MRatWork

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

MRatWork

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

redpages

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer

MRatWork

Re: Setting IPTABLES dan tanya cara mengetahui akun spammer