> By popular demand the issue is back......
>
> Apr 18 08:45:07 srv1 dovecot: pop3-login: Aborted login: rip=127.0.0.1,
> lip=127.0.0.1, secured
> Apr 18 08:45:13 srv1 dovecot: pop3-login: Aborted login: user=<test>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> Apr 18 08:45:13 srv1 dovecot: pop3-login: Aborted login: user=<sales>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> Apr 18 08:45:13 srv1 dovecot: pop3-login: Aborted login: user=<root>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> Apr 18 08:45:15 srv1 dovecot: pop3-login: Aborted login: user=<contact>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> Apr 18 08:45:17 srv1 dovecot: pop3-login: Aborted login: user=<account>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> Apr 18 08:45:17 srv1 dovecot: pop3-login: Aborted login: user=<root>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> Apr 18 08:45:17 srv1 dovecot: pop3-login: Aborted login: user=<test>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> Apr 18 08:45:17 srv1 dovecot: pop3-login: Aborted login: user=<sales>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> Apr 18 08:45:17 srv1 dovecot: pop3-login: Aborted login: user=<support>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> Apr 18 08:45:19 srv1 dovecot: pop3-login: Aborted login:
> user=<administrator>, method=PLAIN, rip=81.18.67.70, lip=
>
> After a few bunch more of this the server stopped responding.
I emailed the guy from http://www.rfxnetworks.com/bfd.php
He said he would add a dovecot rules module (sometime).
For now my crude attempt at blocking the password guessign robots is to run
the untested script below:.
It checks the last 500 lines of the maillog, if there are more than 50 bad
logins, then it checks to see if more
than 30 are from the 1st IP it finds. If so, it will add them to the apf
firewall deny file,
and also add a route to reject them (until a reboot).
Hopefully there is no bad logic in it that will lock you out of your server.
There is probably a really elegant way to do this, but I could not find it
in my perl for dummies book.
#!/usr/bin/perl
#################################################################
# checks the maillog for too man aborted logins
#################################################################
# /var/log/maillog | grep "Aborted login" -c
$serverdomain = "yourserver.com";
$mailprog = '/usr/sbin/sendmail';
$sendto = "alert\ (at mark) youremailaddress.com";
$problem = "no";
$badipcount = 0;
$count =`tail -500 /var/log/maillog | grep "Aborted login" -c`;
if ($count > 50) {
$problem = "yes";
}
if ($problem eq "yes") {
print "pop login problem \n";
@badiplist =`tail -500 /var/log/maillog | grep "Aborted login" |
grep -v "127.0.0.1" `;
($item0, $item1, $item2, $item3) = split(/=/,$badiplist[1]);
($badip, $ip1) = split(/,/,$item3);
foreach $line (@badiplist){
if ( $line =~ /$badip/) {
$badipcount += 1;
#print "the line iin badiplist is $line";
}
}
if ( ($badipcount > 30 ) and ($badip !~ /65.58.240/) ) {
print "conditions met";
open(APFFIL,">>/etc/apf/deny_hosts.rules");
print APFFIL "#line lelow added by this per script\n";
print APFFIL "$badip\n";
close(APFFIL);
system ("/etc/rc.d/init.d/apf restart");
system ("/sbin/route add -host $badip reject");
}
open (MAIL, "|$mailprog -t") || &safe_die("Can't open
$mailprog!\n");
print MAIL "From: $sendto\n";
print MAIL "Reply-To: $sendto\n";
print MAIL "To: $sendto\n";
print MAIL "Subject: Too many aborted pop logins on
$serverdomain\n\n";
print MAIL "Error with $serverdomain\n";
print MAIL "I will try to do this on the server using the lines
below but please chek it.\n";
print MAIL 'echo "#line below by me" >>
/etc/apf/deny_hosts.rules'."\n";
print MAIL "echo \"$badip\" >> /etc/apf/deny_hosts.rules \n";
print MAIL "/etc/rc.d/init.d/apf restart \n";
print MAIL "/sbin/route add -host $badip reject\n";
$logentries =`tail -500 /var/log/maillog | grep "Aborted login" |
grep -v "127.0.0.1" `;
print MAIL "The log entries are \n\n $logentries \n";
close (MAIL);
}