Article 15872 at 09/08/12 01:57:51 From: kenlists (at mark) precisionweb.net Subject: [coba-e:15872] Re: Block Hacker IP from BQ and BX Server

Index: [Article Count Order] [Thread]
Date:  Tue, 11 Aug 2009 09:57:26 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenlists (at mark) precisionweb.net>
Subject:  [coba-e:15872] Re: Block Hacker IP from BQ and BX Server
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <BF17D8891D434754B1BC4A20C751F020@OfficeKen>
References:  <2DAB4EF3-1B30-4A80-9B28-05C1CAC2B271 (at mark) housleyconsulting.com.au> <A1DB4643DAC34538B27258072AD5D250 (at mark) OfficeKen>
X-Mail-Count: 15872


----- Original Message ----- 
From: "Ken Marcus - Precision Web Hosting, Inc." <kenlists (at mark) precisionweb.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Tuesday, August 11, 2009 9:32 AM
Subject: [coba-e:15871] Re: Block Hacker IP from BQ and BX Server


>
> ----- Original Message ----- 
> From: "Xin CHEN" <xchen (at mark) housleyconsulting.com.au>
> To: <coba-e (at mark) bluequartz.org>
> Sent: Monday, August 10, 2009 11:54 PM
> Subject: [coba-e:15867] Block Hacker IP from BQ and BX Server
>
>
>> Hi All,
>>
>> We are encountering this being hacked problem these days. All our BQ  and 
>> BX Server are under attack from certain IP.
>> The Service under attacking is Dovecot.
>>
>> The following is the messages from MAILLOG file: (Hacker IP: 
>> 65.68.51.61)
>> Aug 11 15:54:22 s10 dovecot: pop3-login: Aborted login: user=<login>, 
>> method=PLAIN, rip=65.68.51.61, lip=122.100.2.66
>> Aug 11 15:54:22 s10 dovecot: pop3-login: Aborted login:  user=<support>, 
>> method=PLAIN, rip=65.68.51.61, lip=122.100.2.67
>> Aug 11 15:54:22 s10 dovecot: pop3-login: Aborted login: user=<Thomas>, 
>> method=PLAIN, rip=65.68.51.61, lip=122.100.2.66
>>
>> I have blocked this IP by using IPTABLES, however, once they changed  the 
>> IP, won't be blocked anymore.
>>
>> Does anyone have the same issue before? Is there any tool can block  the 
>> IP automatically based on some certain events?
>>
>> Thanks,
>> tim
>
>
> Xin
>
> On some of my servers I use a variation of this simple script to check pop 
> logins.
> The cron entry is
> */7   * * * * /root/checkmaillog.pl
>
>
> The script is
> #!/usr/bin/perl
>
> #################################################################
>
> # checks the maillog for too man aborted logins and blocks that IP
>
> #################################################################
>
> $problem = "no";
>
> $badipcount = 0;
>
> $donotblock = "123.145.789.10";
>
> $linestocheck = 1000;
>
> $badifmorethan = 50;
>
> $serverdomain = "This is the name of my server";
>
> ########################
>
> ?
>
> $count =`tail -$linestocheck /var/log/maillog | grep "Aborted login" 
> |grep -v "$donotblock" | grep -v "127.0.0.1" -c`;
>
> if ($count > $badifmorethan) {
>
> $problem = "yes";
>
> }
>
> if ($problem eq "yes") {
>
> print "pop login problem \n";
>
> @badiplist =`tail -$linestocheck /var/log/maillog | grep "Aborted login" 
> |grep -v "$donotblock" | grep -v "127.0.0.1" `;
>
> ($item0, $item1, $item2, $item3) = split(/=/,$badiplist[1]);
>
> ($badip, $ip1) = split(/,/,$item3);
>
> chomp ($badip);
>
> foreach $line (@badiplist){
>
> if ( $line =~ /$badip/) {
>
> $badipcount += 1;
>
> #print "the line in badiplist is $line";
>
> }
>
> }
>
> ?
>
> ?
>
> if ( ($badipcount > 30 ) and ($badip !~ /$donotblock/) ) {
>
> print "conditions met";
>
> system ("/sbin/route add -host $badip reject");
>
> }
>
> $logentries =`tail -$linestocheck /var/log/maillog | grep "Aborted login" 
> |grep -v "$donotblock" | grep -v "127.0.0.1" `;
>
> $mailsubject = "Too many aborted pop logins on $serverdomain";
>
> }
>
>
>
> exit;
>
>


For some reason my  email software added extra  ?  alone on some lines. 
Those do not belong in the script.

So, one more time, the script is

The script is
#!/usr/bin/perl

#################################################################

# checks the maillog for too man aborted logins and blocks that IP

#################################################################

$problem = "no";

$badipcount = 0;

$donotblock = "123.145.789.10";

$linestocheck = 1000;

$badifmorethan = 50;

$serverdomain = "This is the name of my server";

########################

$count =`tail -$linestocheck /var/log/maillog | grep "Aborted login"
|grep -v "$donotblock" | grep -v "127.0.0.1" -c`;

if ($count > $badifmorethan) {

     $problem = "yes";

}

if ($problem eq "yes") {

    print "pop login problem \n";

    @badiplist =`tail -$linestocheck /var/log/maillog | grep "Aborted login"
|grep -v "$donotblock" | grep -v "127.0.0.1" `;

   ($item0, $item1, $item2, $item3) = split(/=/,$badiplist[1]);

   ($badip, $ip1) = split(/,/,$item3);

   chomp ($badip);

foreach $line (@badiplist){

    if ( $line =~ /$badip/) {

       $badipcount += 1;

       #print "the line in badiplist is $line";

    }

}



if ( ($badipcount > 30 ) and ($badip !~ /$donotblock/) ) {

   print "conditions met";

   system ("/sbin/route add -host $badip reject");

}

$logentries =`tail -$linestocheck /var/log/maillog | grep "Aborted login"
|grep -v "$donotblock" | grep -v "127.0.0.1" `;

$mailsubject = "Too many aborted pop logins on $serverdomain";

}


exit;





----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net