----- Original Message -----
From: "Abdul-Rashid Abdullah" <webmaster (at mark) muntada.com>
To: "coba-e (at mark) bluequartz. org" <coba-e (at mark) bluequartz.org>
Sent: Monday, September 29, 2008 8:58 AM
Subject: [coba-e:14109] Re: Dovecot Attack
> Let me also provide a little but more information. I added the IP also to
> the hosts.deny file. That didn't change anything.
>
> I tried to do a iptables restart but it basically hung up the system.
>
> I have a ton of IPs in the hosts file, presumably from denyHosts.
>
>
> On 9/29/08 11:50 AM, "MuntadaNet Webmaster" <webmaster (at mark) muntada.com> wrote:
>
>> I have an offending IP who is attacking dovecot. The log looks like
>> this:
>>
>> Sep 29 11:48:40 huda dovecot: pop3-login: Aborted login (1
>> authentication attempts): user=<eddie>, method=PLAIN,
>> rip=65.69.251.9, lip=216.14.86.227
>>
>> The user keeps changing as it cycles through.
>>
>> Now, I have run the following command:
>>
>> iptables -A INPUT -s 65.69.251.9 -j DROP
>>
>> However, it still keeps occurring.
>>
>> I am running denyHosts and I run the dfix.sh script.
>>
>> What am I doing wrong and what else do I need to do?
>>
>> After awhile, no one can check their email as it destroys dovecot.
>>
>> -Rashid
>>
>
>
>>I have a ton of IPs in the hosts file
I would clear out the old IPs in your I have a ton of IPs in the hosts
file. Many of them are dynamic anyway and do not need to be blocked long
term.
For blocking the offending IP, an alternative is
/sbin/route add -host 65.69.251.9 reject
----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net