Article 8364 at 06/12/28 11:15:54 From: herbr (at mark) pfinders.com Subject: [coba-e:08364] Re: Preventing dictionary attacks

Index: [Article Count Order] [Thread]
Date:  Wed, 27 Dec 2006 18:15:34 -0800 (PST)
From:  Herb Rubin <herbr (at mark) pfinders.com>
Subject:  [coba-e:08364] Re: Preventing dictionary attacks
To:  coba-e (at mark) bluequartz.org
Message-Id:  <12306577.1461167272134443.JavaMail.root (at mark) z01.pfinders.com>
In-Reply-To:  <4591D6F6.7020408 (at mark) dogsbody.org>
X-Mail-Count: 08364

Dan,

I wrote a perl script that blocked dictionary attacks. It knew my email addresses and aliases.
So, as it monitored the /var/log/maillog it could easily see the phoney email address spammers were sending to my domain pfinders.com

Originally, I added it to the iptables rules but that grew too big after a while.

Now I run my own RBL that all my mail servers use, besides spamcop and spamhaus. It has a mysql database behind it. In the 2 months its been up, my perl script has added 43,000 IP addresses to it. Can you imagine an iptables rule list that long!

Its important that you choose a domain that doesn't create or delete email boxes very often because you don't want to block an IP just because your monitoring program doesn't realize a new legitimate mailbox was created. I set my threshhold to 10 phoney emails to a domain to trigger the block.

Steps I use:

1) The perl script monitors the /var/log/maillog using the File::Tail module. 
2) When it finds a dictionary attacker, it Posts to a form in PHP on a different server
3) The form adds the IP address to the mysql rbl table.
4) Every 5 minutes I rebuild the flat file database that the rbldns daemon uses.
5) All my mail servers use the rbl for relay blocking.

I started documenting my steps:

http://www.blue-quartz.com/rbl/

Herb
Pathfinders Software

----- Original Message -----
From: Dogsbody <dan (at mark) dogsbody.org>
To: coba-e (at mark) bluequartz.org
Sent: Tuesday, December 26, 2006 6:14:14 PM GMT-0800
Subject: [coba-e:08347] Preventing dictionary attacks

Hi All,

The next thing on my list of things to do over Christmas :-)

I am taking a systematic look at each side of my servers to see if things can be 
done better.  While I currently have (home grown) protection for automated SSH 
attacks/probes the other services seem just as vulnerable especially if it's a 
real attack trying to crack a real persons password.

So what do people use?

I figure iptables is probably the best thing to use (instead of hosts.deny) but 
that does mean I'll have to build a firewall ruleset at the same time.  Tools 
that combine the two would be good.

iptables RECENT module would be good but does it work on the default CentOS BQ 
(v1.2.11)?  I also don't think it would work very well on POP3, IMAP & Apache??

Certainly there are separate apps I could use but it seems silly to run five 
separate apps to protect five services.  Most parse log files too which can't be 
the most instant/effective.

Links I have collected from previous posts...
http://fail2ban.sourceforge.net/wiki/index.php/Main_Page
http://sourceforge.net/projects/blocksshd/
http://www.csc.liv.ac.uk/~greg/sshdfilter/
http://www.rfxnetworks.com/bfd.php
http://bluequartz.ixc.co.uk/

All and any suggestions welcome.

Thank you in advance

Dan




-- 
Herb Rubin
Pathfinders Software
http://www.pfinders.com