Article 14394 at 08/11/28 13:20:34 From: ernie (at mark) info.eis.net.au Subject: [coba-e:14394] Re: Dovecot/POP3 Flood

Index: [Article Count Order] [Thread]
Date:  Thu, 27 Nov 2008 14:43:36 +1000 (EST)
From:  User Ernie <ernie (at mark) info.eis.net.au>
Subject:  [coba-e:14394] Re: Dovecot/POP3 Flood
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200811270443.mAR4hamT006233 (at mark) info.eis.net.au>
In-Reply-To:  <000701c94f30$3fb99040$bf2cb0c0$@com>
X-Mail-Count: 14394

It creates several files in /tmp starting with badip.*

You should see the blocked addresses listed in those files.

- Ernie.



> 
> Hello.
>  How can we test this script "dfix.sh" file is  working, I looked into
> cronlog it shows as
> "Nov 25 18:52:01 ns3 crond[14991]: (root) CMD (run-parts
> /etc/cron.minutely)"  can we confirm that it is doing the JOB.
> 
> Kind regards
> Tunc
> 
> -----Original Message-----
> From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.com] 
> Sent: 25 November 2008 17:50
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:14382] Re: Dovecot/POP3 Flood
> 
> I have been using this with zero problems:
> http://www.gregkuhnert.com/public:bq:dfix
> 
> 
> > -----Original Message-----
> > From: Ken Marcus - Precision Web Hosting, Inc.
> > [mailto:kenmarcus (at mark) precisionweb.net]
> > Sent: Tuesday, November 25, 2008 12:29 PM
> > To: coba-e (at mark) bluequartz.org
> > Subject: [coba-e:14381] Re: Dovecot/POP3 Flood
> > 
> > 
> > ----- Original Message -----
> > From: "User Ernie" <ernie (at mark) info.eis.net.au>
> > To: <coba-e (at mark) bluequartz.org>
> > Sent: Monday, November 24, 2008 10:02 PM
> > Subject: [coba-e:14379] Re: Dovecot/POP3 Flood
> > 
> > 
> > >I am still having problems with these brute force attacks, the problem
> > >seems
> > > to be that dovecot is spawing too many processes->PAM requests before
> > the
> > > intrusion detection progam has notices. Is there a way to hard code the
> > > number of simultaneous running dovecot processes to give time for the
> > > blocking scripts to respond. Something like 50 dovcot pop3-login
> > processes
> > > at once should be heaps.
> > >
> > > - Ernie.
> > >
> > >
> > >>
> > >> On Sun, Sep 07, 2008 at 08:14:51PM +0200, Maurice de Laat wrote:
> > >>
> > >> > wget http://rfxnetworks.com/apf.php
> > >>
> > >> Make that wget http://www.r-fx.ca/downloads/apf-current.tar.gz
> > >> Sorry for the confusion.
> > >> --
> > >> Maurice de Laat
> > >>
> > 
> > 
> > Ernie
> > 
> > As far as I know, the standard BFD does not work with Dovecot.
> > 
> > 
> > 
> > ----
> > Ken Marcus
> > Ecommerce Web Hosting by
> > Precision Web Hosting, Inc.
> > http://www.precisionweb.net
> > 
> > 
> > 
> 
> 
> 
>