Article 9204 at 07/03/16 22:15:40 From: billberg (at mark) northernweb.net Subject: [coba-e:09204] Re: dictionary attack

Index: [Article Count Order] [Thread]
Date:  Fri, 16 Mar 2007 08:15:21 -0500
From:  "Bill Berg" <billberg (at mark) northernweb.net>
Subject:  [coba-e:09204] Re: dictionary attack
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <200703161315.l2GDFD5q027868 (at mark) bugs.northernweb.net>
In-Reply-To:  <45FA75AC.60907 (at mark) dogsbody.org>
X-Mail-Count: 09204

How about a ruleset for FTP attacks as well. That is what
we get hit with the most. 


Bill Berg
Northern Webworks
715-627-0400 or 1-866-572-1333

-----Original Message-----
From: Dogsbody [mailto:dan (at mark) dogsbody.org] 
Sent: Friday, March 16, 2007 5:47 AM
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:09203] Re: dictionary attack


I would like to write an IPtables ruleset for this.  I have already done it
with SSH which works great but I'm unsure of connections for POP3 and IMAP
as I believe users make multiple connections to the server by default??

Is there a maximum for the number of connections a user makes to POP3 or
IMAP? 
Actually it would be the number of simultaneous *new* connections so that a
rule could be set of no more than perhaps 10 new connections in 10 seconds!?

Dan


Darrell D. Mobley wrote:
> That same thing happened to me. Fortunately, I was nearby and saw it 
> come on.  I dropped the IP address in iptables and that took care of 
> that one, but some more automated feature would be nice because 
> dovecot and PAM don稚 appreciate dictionary attacks.
> 
>  
> 
> *From:* Ken Marcus - Precision Web Hosting, Inc. 
> [mailto:kenmarcus (at mark) precisionweb.net]
> *Sent:* Thursday, March 15, 2007 6:08 PM
> *To:* coba-e (at mark) bluequartz.org
> *Subject:* [coba-e:09193] dictionary attack
> 
>  
> 
> Does anyone know of a good scripts for blocking IPs with too many 
> authentication failures.
> 
> 6128  attempts from this one IP.
> 
>  
> 
>  cat  /var/log/maillog | grep 99.72.131.83 -c
> 6128
> 
>  
> 
> Mar 15 14:22:53 blue92 dovecot: pop3-login: Aborted login: 
> user=<bebe>, method=PLAIN, rip=199.72.131.83
> 
> Mar 15 14:22:53 blue92 dovecot: pop3-login: Aborted login: 
> user=<beatrice>, method=PLAIN, rip=199.72.131.83
> 
>  
> 
>  
> 
> ----
> 
> Ken Marcus
> 
> Precision Web Hosting, Inc.
> 
> http://www.precisionweb.net
> 
>  
> 
>  
> 
>  
> 

--
Personal : http://www.dogsbody.org/
Skating  : http://www.cskate.co.uk/
Hosting  : http://www.dogsbodyhosting.net/


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.11/723 - Release Date: 3/15/2007
11:27 AM
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.11/723 - Release Date: 3/15/2007
11:27 AM
 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.