Article 9217 at 07/03/17 17:55:49 From: dan (at mark) dogsbody.org Subject: [coba-e:09217] Re: dictionary attack

Index: [Article Count Order] [Thread]
Date:  Fri, 16 Mar 2007 17:06:29 +0000
From:  Dogsbody <dan (at mark) dogsbody.org>
Subject:  [coba-e:09217] Re: dictionary attack
To:  coba-e (at mark) bluequartz.org
Message-Id:  <45FACE95.3030605 (at mark) dogsbody.org>
In-Reply-To:  <200703161315.l2GDFD5q027868 (at mark) bugs.northernweb.net>
References:  <200703161315.l2GDFD5q027868 (at mark) bugs.northernweb.net>
X-Mail-Count: 09217


FTP shouldn't be a problem, that should be the same as SSH.

It's only POP3 & IMAP I am unsure of as they make multiple connections 
by design I believe??

Dan


On 03/16/07 13:15, Bill Berg was seen to have typed:
> How about a ruleset for FTP attacks as well. That is what
> we get hit with the most. 
> 
> 
> Bill Berg
> Northern Webworks
> 715-627-0400 or 1-866-572-1333
> 
> -----Original Message-----
> From: Dogsbody [mailto:dan (at mark) dogsbody.org] 
> Sent: Friday, March 16, 2007 5:47 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:09203] Re: dictionary attack
> 
> 
> I would like to write an IPtables ruleset for this.  I have already done it
> with SSH which works great but I'm unsure of connections for POP3 and IMAP
> as I believe users make multiple connections to the server by default??
> 
> Is there a maximum for the number of connections a user makes to POP3 or
> IMAP? 
> Actually it would be the number of simultaneous *new* connections so that a
> rule could be set of no more than perhaps 10 new connections in 10 seconds!?
> 
> Dan
> 
> 
> Darrell D. Mobley wrote:
>> That same thing happened to me. Fortunately, I was nearby and saw it 
>> come on.  I dropped the IP address in iptables and that took care of 
>> that one, but some more automated feature would be nice because 
>> dovecot and PAM don稚 appreciate dictionary attacks.
>>
>>  
>>
>> *From:* Ken Marcus - Precision Web Hosting, Inc. 
>> [mailto:kenmarcus (at mark) precisionweb.net]
>> *Sent:* Thursday, March 15, 2007 6:08 PM
>> *To:* coba-e (at mark) bluequartz.org
>> *Subject:* [coba-e:09193] dictionary attack
>>
>>  
>>
>> Does anyone know of a good scripts for blocking IPs with too many 
>> authentication failures.
>>
>> 6128  attempts from this one IP.
>>
>>  
>>
>>  cat  /var/log/maillog | grep 99.72.131.83 -c
>> 6128
>>
>>  
>>
>> Mar 15 14:22:53 blue92 dovecot: pop3-login: Aborted login: 
>> user=<bebe>, method=PLAIN, rip=199.72.131.83
>>
>> Mar 15 14:22:53 blue92 dovecot: pop3-login: Aborted login: 
>> user=<beatrice>, method=PLAIN, rip=199.72.131.83
>>
>>  
>>
>>  
>>
>> ----
>>
>> Ken Marcus
>>
>> Precision Web Hosting, Inc.
>>
>> http://www.precisionweb.net
>>
>>  
>>
>>  
>>
>>  
>>
> 
> --
> Personal : http://www.dogsbody.org/
> Skating  : http://www.cskate.co.uk/
> Hosting  : http://www.dogsbodyhosting.net/
> 
> 

-- 
Personal : http://www.dogsbody.org/
Skating  : http://www.cskate.co.uk/
Hosting  : http://www.dogsbodyhosting.net/