Date:  Tue, 11 Aug 2009 09:27:58 +0200
From:  Roman =?ISO-8859-1?Q?B=FCrkle?= <buerkle (at mark) stimme.net>
Subject:  [coba-e:15868] Re: Block Hacker IP from BQ and BX Server
To:  "coba-e (at mark) bluequartz.org" <coba-e (at mark) bluequartz.org>
Message-Id:  <1249975678.3187.9.camel (at mark) blackbird.stimme.net>
In-Reply-To:  <2DAB4EF3-1B30-4A80-9B28-05C1CAC2B271 (at mark) housleyconsulting.com.au>
References:  <2DAB4EF3-1B30-4A80-9B28-05C1CAC2B271 (at mark) housleyconsulting.com.au>
X-Mail-Count: 15868

Hi Tim,

we use fail2ban http://www.fail2ban.org to block bruteforce attacks. It
scans specific daemon-logs for expressions and blocks the IP via
IPTABLES for a configurable amount of seconds. Works very fine on SSHD
and PROFTPD, but i never tried it on DOVECOT. But its quite easy to
configure to nearly any daemon/logfile because its only based on a
regular expression search over them.

Greets 
Roman

On Tue, 2009-08-11 at 08:54 +0200, Xin CHEN wrote:
> Hi All,
> 
> We are encountering this being hacked problem these days. All our BQ
> and BX Server are under attack from certain IP.
> The Service under attacking is Dovecot.
> 
> The following is the messages from MAILLOG file: (Hacker IP:
> 65.68.51.61)
> Aug 11 15:54:22 s10 dovecot: pop3-login: Aborted login: user=<login>,
> method=PLAIN, rip=65.68.51.61, lip=122.100.2.66
> Aug 11 15:54:22 s10 dovecot: pop3-login: Aborted login:
> user=<support>, method=PLAIN, rip=65.68.51.61, lip=122.100.2.67
> Aug 11 15:54:22 s10 dovecot: pop3-login: Aborted login: user=<Thomas>,
> method=PLAIN, rip=65.68.51.61, lip=122.100.2.66
> 
> I have blocked this IP by using IPTABLES, however, once they changed
> the IP, won't be blocked anymore.
> 
> Does anyone have the same issue before? Is there any tool can block
> the IP automatically based on some certain events?
> 
> Thanks,
> tim
>