Article 15871 at 09/08/12 01:32:33 From: kenlists (at mark) precisionweb.net Subject: [coba-e:15871] Re: Block Hacker IP from BQ and BX Server

Index: [Article Count Order] [Thread]
Date:  Tue, 11 Aug 2009 09:32:07 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenlists (at mark) precisionweb.net>
Subject:  [coba-e:15871] Re: Block Hacker IP from BQ and BX Server
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <A1DB4643DAC34538B27258072AD5D250@OfficeKen>
References:  <2DAB4EF3-1B30-4A80-9B28-05C1CAC2B271 (at mark) housleyconsulting.com.au>
X-Mail-Count: 15871


----- Original Message ----- 
From: "Xin CHEN" <xchen (at mark) housleyconsulting.com.au>
To: <coba-e (at mark) bluequartz.org>
Sent: Monday, August 10, 2009 11:54 PM
Subject: [coba-e:15867] Block Hacker IP from BQ and BX Server


> Hi All,
>
> We are encountering this being hacked problem these days. All our BQ  and 
> BX Server are under attack from certain IP.
> The Service under attacking is Dovecot.
>
> The following is the messages from MAILLOG file: (Hacker IP:  65.68.51.61)
> Aug 11 15:54:22 s10 dovecot: pop3-login: Aborted login: user=<login>, 
> method=PLAIN, rip=65.68.51.61, lip=122.100.2.66
> Aug 11 15:54:22 s10 dovecot: pop3-login: Aborted login:  user=<support>, 
> method=PLAIN, rip=65.68.51.61, lip=122.100.2.67
> Aug 11 15:54:22 s10 dovecot: pop3-login: Aborted login: user=<Thomas>, 
> method=PLAIN, rip=65.68.51.61, lip=122.100.2.66
>
> I have blocked this IP by using IPTABLES, however, once they changed  the 
> IP, won't be blocked anymore.
>
> Does anyone have the same issue before? Is there any tool can block  the 
> IP automatically based on some certain events?
>
> Thanks,
> tim


Xin

On some of my servers I use a variation of this simple script to check pop 
logins.
The cron entry is
*/7   * * * * /root/checkmaillog.pl


The script is
#!/usr/bin/perl

#################################################################

# checks the maillog for too man aborted logins and blocks that IP

#################################################################

$problem = "no";

$badipcount = 0;

$donotblock = "123.145.789.10";

$linestocheck = 1000;

$badifmorethan = 50;

$serverdomain = "This is the name of my server";

########################

?

$count =`tail -$linestocheck /var/log/maillog | grep "Aborted login" 
|grep -v "$donotblock" | grep -v "127.0.0.1" -c`;

if ($count > $badifmorethan) {

$problem = "yes";

}

if ($problem eq "yes") {

print "pop login problem \n";

@badiplist =`tail -$linestocheck /var/log/maillog | grep "Aborted login" 
|grep -v "$donotblock" | grep -v "127.0.0.1" `;

($item0, $item1, $item2, $item3) = split(/=/,$badiplist[1]);

($badip, $ip1) = split(/,/,$item3);

chomp ($badip);

foreach $line (@badiplist){

if ( $line =~ /$badip/) {

$badipcount += 1;

#print "the line in badiplist is $line";

}

}

?

?

if ( ($badipcount > 30 ) and ($badip !~ /$donotblock/) ) {

print "conditions met";

system ("/sbin/route add -host $badip reject");

}

$logentries =`tail -$linestocheck /var/log/maillog | grep "Aborted login" 
|grep -v "$donotblock" | grep -v "127.0.0.1" `;

$mailsubject = "Too many aborted pop logins on $serverdomain";

}



exit;