What to do when you get to cbl |
One day I got report, that server's ip is added to CBL Composite Blocking List.
This list is mostly used in email servers, to block spammers ip and mails. In my situation it was worm which creates mail server and sends its copy to the others. One of nat'ed clients got this worm, so I needed to block such activities. I blocked 25 port going out from internal network except real mail server. Theres how it is done in iptables:
/sbin/iptables -A OUTPUT -p TCP -i $ETH_OUT --dport 25 -s ! $SMTP_SERVER -j LOG
/sbin/iptables -A OUTPUT -p TCP -i $ETH_OUT --dport 25 -s ! $SMTP_SERVER -j DROP
Where $SMTP_SERVER - internal smtp server and $ETH_OUT - ethernet which goes out (connects to dsl modem and so on)
First line logs such activity, so its easier, to trace which ip in internal lan is infected.