Most of the blocking programs look for bad userid's from the logs.
For example, sshdfilter that I use watches for an unknown user, and
immediately blocks if one is found. This rule could apply to any
protocol. If the user is unknown, they should be blocked. Further if
a known user has their password tried more than 6 times in a minute,
that IP is blocked. This should protect from a user that cant
remember their password.
You could set the block time to be something small such as 2 minutes,
and this would be sufficient to kill any dictionary attack, but still
not be to inconvienent for users that habitually forget their
passwords. Even if a dictionary attack tries again after 2 minutes,
it will be slowed down to the point where it's probably not worth
running against your server, and the script kiddies will move on.
Something like http://secwatch.sourceforge.net/v0.3/ is what will do
the trick, however I have not yet used this one.
-Adam
On 3/16/07, Dogsbody <dan (at mark) dogsbody.org> wrote:
>
> FTP shouldn't be a problem, that should be the same as SSH.
>
> It's only POP3 & IMAP I am unsure of as they make multiple connections
> by design I believe??
>
> Dan
>
>
> On 03/16/07 13:15, Bill Berg was seen to have typed:
> > How about a ruleset for FTP attacks as well. That is what
> > we get hit with the most.
> >
> >
> > Bill Berg
> > Northern Webworks
> > 715-627-0400 or 1-866-572-1333
> >
> > -----Original Message-----
> > From: Dogsbody [mailto:dan (at mark) dogsbody.org]
> > Sent: Friday, March 16, 2007 5:47 AM
> > To: coba-e (at mark) bluequartz.org
> > Subject: [coba-e:09203] Re: dictionary attack
> >
> >
> > I would like to write an IPtables ruleset for this. I have already done it
> > with SSH which works great but I'm unsure of connections for POP3 and IMAP
> > as I believe users make multiple connections to the server by default??
> >
> > Is there a maximum for the number of connections a user makes to POP3 or
> > IMAP?
> > Actually it would be the number of simultaneous *new* connections so that a
> > rule could be set of no more than perhaps 10 new connections in 10 seconds!?
> >
> > Dan
> >
> >
> > Darrell D. Mobley wrote:
> >> That same thing happened to me. Fortunately, I was nearby and saw it
> >> come on. I dropped the IP address in iptables and that took care of
> >> that one, but some more automated feature would be nice because
> >> dovecot and PAM don't appreciate dictionary attacks.
> >>
> >>
> >>
> >> *From:* Ken Marcus - Precision Web Hosting, Inc.
> >> [mailto:kenmarcus (at mark) precisionweb.net]
> >> *Sent:* Thursday, March 15, 2007 6:08 PM
> >> *To:* coba-e (at mark) bluequartz.org
> >> *Subject:* [coba-e:09193] dictionary attack
> >>
> >>
> >>
> >> Does anyone know of a good scripts for blocking IPs with too many
> >> authentication failures.
> >>
> >> 6128 attempts from this one IP.
> >>
> >>
> >>
> >> cat /var/log/maillog | grep 99.72.131.83 -c
> >> 6128
> >>
> >>
> >>
> >> Mar 15 14:22:53 blue92 dovecot: pop3-login: Aborted login:
> >> user=<bebe>, method=PLAIN, rip=199.72.131.83
> >>
> >> Mar 15 14:22:53 blue92 dovecot: pop3-login: Aborted login:
> >> user=<beatrice>, method=PLAIN, rip=199.72.131.83
> >>
> >>
> >>
> >>
> >>
> >> ----
> >>
> >> Ken Marcus
> >>
> >> Precision Web Hosting, Inc.
> >>
> >> http://www.precisionweb.net
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> > --
> > Personal : http://www.dogsbody.org/
> > Skating : http://www.cskate.co.uk/
> > Hosting : http://www.dogsbodyhosting.net/
> >
> >
>
> --
> Personal : http://www.dogsbody.org/
> Skating : http://www.cskate.co.uk/
> Hosting : http://www.dogsbodyhosting.net/
>
>
--
-----------------------------------------------------------------
Shroom.net Donation Based Web Hosting
http://www.shroom.net/
-----------------------------------------------------------------