I know I have a pc on my network that is spamming emails as evidence by a few black list sites. Also yahoo keeps rate limiting me. Though I do not see any evidence on the PC's I have running. I have a few PC's and a few android devices. It is rather hard to turn one off at a time and the end results is not easy to detect. Thus its hard to troubleshoot that way. So I want to intercept and use linux to hunt it down. Every thing goes out of my ubuntu server, all traffic. but I'm not a security guru by any means.
I thought maybe I could use iptables like
iptables -A INPUT -p tcp -s 192.168.0.0/25 --dport 25 -j LOG --log-level debug
and tail -f /var/log/kern.log
and there I see a few messages once a second but it looks like my FW is blocking it.
other then that I only see thisCode:Nov 24 14:38:48 ubuntuspawn kernel: [6630908.886197] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=185.219.52.172 DST=[myIP] LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=38447 DF PROTO=TCP SPT=41304 DPT=5927 WINDOW=0 RES=0x00 RST URGP=0 Nov 24 14:38:54 ubuntuspawn kernel: [6630915.201554] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=46.232.211.193 DST=[myIP] LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=24534 DF PROTO=TCP SPT=37905 DPT=40945 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 14:39:11 ubuntuspawn kernel: [6630931.733367] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=185.219.52.172 DST=[myIP] LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=38801 DF PROTO=TCP SPT=48692 DPT=5927 WINDOW=0 RES=0x00 RST URGP=0 Nov 24 14:39:15 ubuntuspawn kernel: [6630935.532012] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=172.98.68.19 DST=[myIP] LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=55084 DF PROTO=TCP SPT=55145 DPT=40945 WINDOW=64860 RES=0x00 SYN URGP=0 Nov 24 14:39:33 ubuntuspawn kernel: [6630953.568650] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=61.177.173.11 DST=[myIP] LEN=67 TOS=0x00 PREC=0x00 TTL=47 ID=1181 DF PROTO=TCP SPT=12671 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0 Nov 24 14:39:35 ubuntuspawn kernel: [6630956.301506] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=187.189.88.168 DST=[myIP] LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=17182 PROTO=UDP SPT=10700 DPT=40945 LEN=28 Nov 24 14:39:49 ubuntuspawn kernel: [6630969.761855] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=185.219.52.172 DST=[myIP] LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=39389 DF PROTO=TCP SPT=7954 DPT=5927 WINDOW=0 RES=0x00 RST URGP=0 Nov 24 14:39:54 ubuntuspawn kernel: [6630975.263547] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=37.146.57.182 DST=[myIP] LEN=132 TOS=0x00 PREC=0x00 TTL=108 ID=52386 PROTO=UDP SPT=22879 DPT=40945 LEN=112 Nov 24 14:40:15 ubuntuspawn kernel: [6630996.279388] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=185.159.156.3 DST=[myIP] LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=61920 DF PROTO=TCP SPT=48280 DPT=40945 WINDOW=64240 RES=0x00 SYN URGP=0 Nov 24 14:40:32 ubuntuspawn kernel: [6631012.854881] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=31.13.65.36 DST=[myIP] LEN=40 TOS=0x0C PREC=0x60 TTL=87 ID=0 DF PROTO=TCP SPT=443 DPT=62644 WINDOW=0 RES=0x00 RST URGP=0 Nov 24 14:40:32 ubuntuspawn kernel: [6631012.854945] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=31.13.65.36 DST=[myIP] LEN=40 TOS=0x0C PREC=0x60 TTL=87 ID=0 DF PROTO=TCP SPT=443 DPT=62644 WINDOW=0 RES=0x00 RST URGP=0 Nov 24 14:40:38 ubuntuspawn kernel: [6631018.779255] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=95.192.81.202 DST=[myIP] LEN=52 TOS=0x00 PREC=0x00 TTL=238 ID=23544 DF PROTO=TCP SPT=61805 DPT=40945 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 24 14:30:47 ubuntuspawn kernel: [6630427.637180] CIFS VFS: Free previous auth_key.response = 0000000048575e17
Is there a better way to go about this?
Bookmarks