Article 9210 at 07/03/17 02:23:31 From: C.Hemsing (at mark) gmx.net Subject: [coba-e:09210] Re: dictionary attack

Index: [Article Count Order] [Thread]
Date:  Fri, 16 Mar 2007 18:23:22 +0100
From:  Chris Hemsing <C.Hemsing (at mark) gmx.net>
Subject:  [coba-e:09210] Re: dictionary attack
To:  "Darrell D. Mobley" <coba-e (at mark) bluequartz.org>
Message-Id:  <1964747475.20070316182322 (at mark) gmx.net>
In-Reply-To:  <002d01c767e4$89b2cf70$9d186e50$@net>
References:  <02c901c7674e$63470fe0$6700a8c0 (at mark) OfficeKen> <006a01c76768$dd97a0b0$98c6e210$ (at mark) net> <45FA75AC.60907 (at mark) dogsbody.org> <002d01c767e4$89b2cf70$9d186e50$ (at mark) net>
X-Mail-Count: 09210

Hello Darrell,

you cannot solve this by iptables.
Contrary to the ssh case, there are clients out there,
that issue these bursts of pop3 connections in normal operation.
If you have a company with say 50 mailaccounts, then many fetching clients
do the query in parallel and you will see burst of incoming pop3 connections
from the same ip address. I'm not implying that this is a particularly
clever method by those client.
However, they exist and do it regularly.
What one needs to detect is: a burst of pop3 connections from the same
ip, that all fail authentication!

Cheers,
Chris

Friday, March 16, 2007, 5:02:45 PM, you wrote:

DDM> It would be effective if it were as high as 25 or 50!  The dictionary
DDM> attacks usually are a couple hundred or higher.

DDM> -----Original Message-----
DDM> From: Dogsbody [mailto:dan (at mark) dogsbody.org] 
DDM> Sent: Friday, March 16, 2007 6:47 AM
DDM> To: coba-e (at mark) bluequartz.org
DDM> Subject: [coba-e:09203] Re: dictionary attack


DDM> I would like to write an IPtables ruleset for this.  I have already done it
DDM> with 
DDM> SSH which works great but I'm unsure of connections for POP3 and IMAP as I 
DDM> believe users make multiple connections to the server by default??

DDM> Is there a maximum for the number of connections a user makes to POP3 or
DDM> IMAP? 
DDM> Actually it would be the number of simultaneous *new* connections so that a
DDM> rule 
DDM> could be set of no more than perhaps 10 new connections in 10 seconds!?

DDM> Dan


DDM> Darrell D. Mobley wrote:
>> That same thing happened to me. Fortunately, I was nearby and saw it 
>> come on.  I dropped the IP address in iptables and that took care of 
>> that one, but some more automated feature would be nice because dovecot 
>> and PAM don't appreciate dictionary attacks.
>> 
>>  
>> 
>> *From:* Ken Marcus - Precision Web Hosting, Inc. 
>> [mailto:kenmarcus (at mark) precisionweb.net]
>> *Sent:* Thursday, March 15, 2007 6:08 PM
>> *To:* coba-e (at mark) bluequartz.org
>> *Subject:* [coba-e:09193] dictionary attack
>> 
>>  
>> 
>> Does anyone know of a good scripts for blocking IPs with too many 
>> authentication failures.
>> 
>> 6128  attempts from this one IP.
>> 
>>  
>> 
>>  cat  /var/log/maillog | grep 99.72.131.83 -c
>> 6128
>> 
>>  
>> 
>> Mar 15 14:22:53 blue92 dovecot: pop3-login: Aborted login: user=<bebe>, 
>> method=PLAIN, rip=199.72.131.83
>> 
>> Mar 15 14:22:53 blue92 dovecot: pop3-login: Aborted login: 
>> user=<beatrice>, method=PLAIN, rip=199.72.131.83
>> 
>>  
>> 
>>  
>> 
>> ----
>> 
>> Ken Marcus
>> 
>> Precision Web Hosting, Inc.
>> 
>> http://www.precisionweb.net
>> 
>>  
>> 
>>  
>> 
>>  
>>