Article 15885 at 09/08/15 00:43:43 From: dmobley (at mark) uhostme.com Subject: [coba-e:15885] Re: Block Hacker IP from BQ and BX Server

Index: [Article Count Order] [Thread]
Date:  Fri, 14 Aug 2009 11:44:19 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.com>
Subject:  [coba-e:15885] Re: Block Hacker IP from BQ and BX Server
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <5D1AFDCEFF6842F0A19B3AC3A086C636@HP9925NR>
In-Reply-To:  <4AC0EE4443374853B240370C4E373A02@HP9925NR>
References:  <2DAB4EF3-1B30-4A80-9B28-05C1CAC2B271 (at mark) housleyconsulting.com.au> <BAY107-W428D49C8AE2A6E64E87003D1070 (at mark) phx.gbl> <C81E2DF7ABD74911BB472BEC43ABD0A2 (at mark) HP9925NR> <4A8333EF.1040905 (at mark) theanchoragesylvania.com> <4AC0EE4443374853B240370C4E373A02 (at mark) HP9925NR>
X-Mail-Count: 15885

It happened again this morning:

Aug 14 04:14:33 www dovecot: pop3-login: Disconnected: user=<admin>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
Aug 14 04:14:33 www dovecot: pop3-login: Disconnected: user=<root>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
Aug 14 04:14:33 www dovecot: pop3-login: Disconnected: user=<stud>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
Aug 14 04:14:35 www dovecot: pop3-login: Disconnected: user=<trash>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
Aug 14 04:14:35 www dovecot: pop3-login: Disconnected: user=<gt05>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
Aug 14 04:14:35 www dovecot: pop3-login: Disconnected: user=<aaron>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
Aug 14 04:14:37 www dovecot: pop3-login: Disconnected: user=<william>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
Aug 14 04:14:37 www dovecot: pop3-login: Disconnected: user=<stephanie>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
Aug 14 04:14:37 www dovecot: pop3-login: Disconnected: user=<root>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.100
Aug 14 04:14:39 www last message repeated 4 times
...
Aug 14 05:06:51 www dovecot: pop3-login: Disconnected: user=<guravlev>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
Aug 14 05:06:51 www dovecot: pop3-login: Disconnected: user=<tikhomirov>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
Aug 14 05:06:51 www dovecot: pop3-login: Disconnected: user=<lex>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
Aug 14 05:06:53 www dovecot: pop3-login: Disconnected: user=<kuznetsov>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
Aug 14 05:06:53 www dovecot: pop3-login: Disconnected: user=<s2a>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
Aug 14 05:06:53 www dovecot: pop3-login: Disconnected: user=<kotov>,
method=PLAIN, rip=213.92.11.165, lip=208.77.219.99
Aug 14 05:06:53 www dovecot: pop3-login: Disconnected: method=PLAIN,
rip=213.92.11.165, lip=208.77.219.99

They finally gave up after 45 minutes of hammering the server.

DFix never even grunted...  


> -----Original Message-----
> From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.com]
> Sent: Wednesday, August 12, 2009 5:48 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:15881] Re: Block Hacker IP from BQ and BX Server
> 
> > -----Original Message-----
> > From: Greg Kuhnert [mailto:greg.kuhnert (at mark) theanchoragesylvania.com]
> > Sent: Wednesday, August 12, 2009 5:28 PM
> > To: coba-e (at mark) bluequartz.org >> BQ List
> > Subject: [coba-e:15880] Re: Block Hacker IP from BQ and BX Server
> >
> > There has been a dovecot log format changes recently. I sent a post to
> > the list advising all users to upgrade to the most recent version. Older
> > versions will not block brute force attacks.
> >
> > To check your dfix version from a shell - enter the command
> >
> > rpm -qa dfix
> >
> > If you are up to date, it will return dfix-9-1
> >
> > Regards,
> > Greg.
> 
> It said:
> 
> [root@www ~]# rpm -qa dfix
> warning: only V3 signatures can be verified, skipping V4 signature
> dfix-9-1