Article 14803 at 09/01/20 04:56:47 From: greg.kuhnert (at mark) theanchoragesylvania.com Subject: [coba-e:14803] Re: dfix.sh Update

Index: [Article Count Order] [Thread]
Date:  Tue, 20 Jan 2009 06:56:34 +1100
From:  Greg Kuhnert <greg.kuhnert (at mark) theanchoragesylvania.com>
Subject:  [coba-e:14803] Re: dfix.sh Update
To:  Jim Scott <jscott (at mark) infoconex.com>
Cc:  coba-e (at mark) bluequartz.org
Message-Id:  <4974DAF2.8060904 (at mark) theanchoragesylvania.com>
In-Reply-To:  <60C8DB9EA0A04AD98A1DABB21C8CB88E (at mark) concord.corp>
References:  <49746973.3060002 (at mark) theanchoragesylvania.com> <60C8DB9EA0A04AD98A1DABB21C8CB88E (at mark) concord.corp>
X-Mail-Count: 14803

The script auto generates a whitelist. As long as you have a valid 
authenticated POP or IMAP transaction before you do other stuff, it 
should be auto whitelisted.

If you need to add a single server to your whitelist... look where I 
have 1.1.1.1 in the few lines below....

# Create a list of good guys
echo 127.0.0.1 >> $GLOGIP
echo 1.1.1.1 >> $GLOGIP
grep "dovecot:.*login: Login: user=.*rip" $GLOGFILE | cut -d "," -f 3 | 
cut -b 6- | sort | uniq >> $GLOGIP

Jim Scott wrote:
> Greg, would be great if you could add to your script the ability to 
> whitelist a set of IP addresses. For instance I had to customize your 
> script to get it to ignore a monitoring server.
>
> Jim
>
> ----- Original Message ----- From: "Greg Kuhnert" 
> <greg.kuhnert (at mark) theanchoragesylvania.com>
> To: "BQ List" <coba-e (at mark) bluequartz.org>; "BlueOnyx General Mailing List" 
> <blueonyx (at mark) blueonyx.it>
> Sent: Monday, January 19, 2009 3:52 AM
> Subject: [coba-e:14799] dfix.sh Update
>
>
>> Hi Blue*
>>
>> After the recent dovecot update, I noticed a log format change to the 
>> dovecot log files. Theoretically, the reason for running dfix is now 
>> gone. The old system lockups when our servers are subjected to brute 
>> force attacks to dovecot appear to be fixed with the current dovecot 
>> rpm.
>>
>> However, preventing system lockups is not the only reason to run 
>> dfix. Brute force attacks are designed to find bad or weak passwords. 
>> dfix will detect these attacks and temporarily black-list the 
>> attacker's IP address.
>>
>> Another new feature in the current version is the ability to detect 
>> http rfi (Remote File Include) attackers. If you upgrade to this 
>> version of dfix, you may be surprised just how many people are 
>> attempting to attack your websites.
>>
>> An explanation of RFI exploits can be found at 
>> http://en.wikipedia.org/wiki/Remote_File_Inclusion
>>
>> Anyway, the code for dfix is as always available at 
>> http://www.gregkuhnert.com/public:bq:dfix
>>
>> I plan to release another update soon - to cleanup the code.... till 
>> then, enjoy this version.
>>
>> Regards,
>> Greg.
>>
>