----- Original Message -----
From: "User Ernie" <ernie (at mark) info.eis.net.au>
To: <coba-e (at mark) bluequartz.org>
Sent: Friday, January 18, 2008 1:59 PM
Subject: [coba-e:11740] POP3 DOS attack
> Over the last few days there has been several POP3 attacks on our
> BQ(Nuonce0 mail
> servers whereby a huge number of POP3 connections are established, I
> presume
> it's a dictionary attack of some sort. The effects are serious, on 3
> servers
> clients couldn't log in with POP3 any more even though Dovecot was
> respoding
> when I telnet to port 110, they all got autentication errors,a reboot was
> required.
> Another machine ceased working altogether and had to be powercycled. I
> assume
> it ran out of swap but it's hard to tell as the sceen blanking had kicked
> in on the console.
>
> How can I protect the server against these POP3 attacks taking out POP
> logins?
>
> How can I turn off the screen blanking to enable console messages.
>
> - Ernie.
Ernie
I run this script every 5 minutes.
#!/usr/bin/perl
#################################################################
# checks the maillog for too many aborted logins and blocks that IP
#################################################################
$mailprog = '/usr/sbin/sendmail';
$sendto = "soememailaddress\ (at mark) precisionweb.net";
$problem = "no";
$badipcount = 0;
$donotblock = "209.216.51";
$linestocheck = 500;
$badifmorethan = 50;
$serverdomain = "my server name here";
$count =`tail -$linestocheck /var/log/maillog | grep "Aborted login"
|grep -v "$donotblock" | grep -v "127.0.0.1" -c`;
if ($count > $badifmorethan) {
$problem = "yes";
}
if ($problem eq "yes") {
print "pop login problem \n";
@badiplist =`tail -$linestocheck /var/log/maillog | grep "Aborted
login" |grep -v "$donotblock" | grep -v "127.0.0.1" `;
($item0, $item1, $item2, $item3) = split(/=/,$badiplist[1]);
($badip, $ip1) = split(/,/,$item3);
foreach $line (@badiplist){
if ( $line =~ /$badip/) {
$badipcount += 1;
#print "the line iin badiplist is $line";
}
}
if ( ($badipcount > 30 ) and ($badip !~ /$donotblock/) ) {
print "Conditions met";
system ("/sbin/route add -host $badip reject");
}
open (MAIL, "|$mailprog -t") || &safe_die("Can't open
$mailprog!\n");
print MAIL "From: $sendto\n";
print MAIL "Reply-To: $sendto\n";
print MAIL "To: $sendto\n";
print MAIL "Subject: Too many aborted pop logins on
$serverdomain\n\n";
print MAIL "Error with $serverdomain\n";
print MAIL "I will try to do this on the server using the lines
below but please check it.\n";
print MAIL "/sbin/route add -host $badip reject\n";
$logentries =`tail -$linestocheck /var/log/maillog | grep "Aborted
login" |grep -v "$donotblock" | grep -v "127.0.0.1" `;
print MAIL "The log entries are \n\n $logentries \n";
close (MAIL);
}
----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net