pop3 attack
 

On Tue, Dec 9, 2008 at 4:26 PM, James Pifer <jep@obrien-pifer.com> wrote:
> Thanks to all. For now I've stopped it using iptables. I tried stopping
> it at my router without success, yet another reason to replace it! I
> will also report it to abuse@covad.net.

Great. Scott can tell you whether or not if you switch to IPCop as
your Firewall/Router, that would stop it. As I recall, IPCop considers
things originating within your LAN OK, and things from outside as
suspicious.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

pop3 attack
 

IPCop won't stop it. It will let you put a firewall rule in to block them, but you can do that with regular iptables.


-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Lanny Marcus
Sent: Tuesday, December 09, 2008 6:12 PM
To: CentOS mailing list
Subject: Re: [CentOS] pop3 attack

On Tue, Dec 9, 2008 at 4:26 PM, James Pifer <jep@obrien-pifer.com> wrote:
> Thanks to all. For now I've stopped it using iptables. I tried stopping
> it at my router without success, yet another reason to replace it! I
> will also report it to abuse@covad.net.

Great. Scott can tell you whether or not if you switch to IPCop as
your Firewall/Router, that would stop it. As I recall, IPCop considers
things originating within your LAN OK, and things from outside as
suspicious.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

pop3 attack
 

on 12-9-2008 3:11 PM Lanny Marcus spake the following:
> On Tue, Dec 9, 2008 at 4:26 PM, James Pifer <jep-2I/IFv/jpUMre736sURT7g@public.gmane.org> wrote:
>> Thanks to all. For now I've stopped it using iptables. I tried stopping
>> it at my router without success, yet another reason to replace it! I
>> will also report it to abuse@covad.net.
>
> Great. Scott can tell you whether or not if you switch to IPCop as
> your Firewall/Router, that would stop it. As I recall, IPCop considers
> things originating within your LAN OK, and things from outside as
> suspicious.
I don't run my servers through IPCop. It is just for internet access and
office to office tunnels. It is a lot easier to set up and do things then the
Siemens T1 router I am stuck with at the demark. Its firewall language seems
just different enough to give me fits when I use it. And I don't hose
everything with one fat-fingered typo.



--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

pop3 attack
 

On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:

> Once the cracker finds an account with a guessable password, they
> may well
> be able to get access to your system as that user via ssh, webmin,
> usermin,
> or other means. Given shell access, the cracker can install user-
> level IRC
> servers or gain root access via exploits that only work for local
> users. I
> have seen cases where crackers were able to change user shells and
> other
> information via usermin or webmin by exploiting vulnerabilities in
> system
> utilities thus gaining access to the system.

You can keep compromised accounts from logging in via ssh with the
"AllowUsers" option in your /etc/ssh/sshd_config file. Add that
option followed by a list of user names that you want to be able to
log in, ex:

# Only let Fred Guru and Joe Admin in, block anyone
# else even if they have a valid password.
AllowUsers fred joe

And you should also set "PermitRootLogin no" while you are in
sshd_config.

Be sure to do a "service sshd restart" after you change the file, and
do a test login _before_ you log out of your current session. Saves
cursing and late night drives to remote servers in case sshd barfs
somehow :-)

--Chris

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

pop3 attack
 

On Tue, Dec 9, 2008 at 6:33 PM, Scott Silva <ssilva@sgvwater.com> wrote:
> on 12-9-2008 3:11 PM Lanny Marcus spake the following:
<snip>
> I don't run my servers through IPCop. It is just for internet access and
> office to office tunnels. It is a lot easier to set up and do things then the
> Siemens T1 router I am stuck with at the demark. Its firewall language seems
> just different enough to give me fits when I use it. And I don't hose
> everything with one fat-fingered typo.

And the folks who wrote the Proprietary Language for your T1 Router
thought that it was perfect. :-)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

pop3 attack
 

on 12-9-2008 4:06 PM Lanny Marcus spake the following:
> On Tue, Dec 9, 2008 at 6:33 PM, Scott Silva <ssilva-m4n3GYAQT2lWk0Htik3J/w@public.gmane.org> wrote:
>> on 12-9-2008 3:11 PM Lanny Marcus spake the following:
> <snip>
>> I don't run my servers through IPCop. It is just for internet access and
>> office to office tunnels. It is a lot easier to set up and do things then the
>> Siemens T1 router I am stuck with at the demark. Its firewall language seems
>> just different enough to give me fits when I use it. And I don't hose
>> everything with one fat-fingered typo.
>
> And the folks who wrote the Proprietary Language for your T1 Router
> thought that it was perfect. :-)
I think they thought it was perfect for their bottom line so they could sell
support. Either way, it works so corporate won't replace it. And with the
economic slowdown the way it is, it is one battle I'm not going to fight right
now.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

pop3 attack
 

On Tue, Dec 09, 2008, Chris Boyd wrote:
>
>On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:
>
>> Once the cracker finds an account with a guessable password, they
>> may well
>> be able to get access to your system as that user via ssh, webmin,
>> usermin,
>> or other means. Given shell access, the cracker can install user-
>> level IRC
>> servers or gain root access via exploits that only work for local
>> users. I
>> have seen cases where crackers were able to change user shells and
>> other
>> information via usermin or webmin by exploiting vulnerabilities in
>> system
>> utilities thus gaining access to the system.
>
>You can keep compromised accounts from logging in via ssh with the
>"AllowUsers" option in your /etc/ssh/sshd_config file. Add that
>option followed by a list of user names that you want to be able to
>log in, ex:

By the time you know the user has been compromised, it's too late.

We normally don't allow password authentication with ssh,
requiring authorized_keys. In the cases where we have to allow
password authentication, we severely restrict ssh acces using the
/etc/hosts.allow file.

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186

Basic Definitions of Science:
If it's green or wiggles, it's biology.
If it stinks, it's chemistry.
If it doesn't work, it's physics.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

pop3 attack
 

Chris Boyd wrote:
>
> You can keep compromised accounts from logging in via ssh with the
> "AllowUsers" option in your /etc/ssh/sshd_config file. Add that
> option followed by a list of user names that you want to be able to
> log in, ex:
>
> # Only let Fred Guru and Joe Admin in, block anyone
> # else even if they have a valid password.
> AllowUsers fred joe
>
> And you should also set "PermitRootLogin no" while you are in
> sshd_config.
>
> Be sure to do a "service sshd restart" after you change the file, and
> do a test login _before_ you log out of your current session. Saves
> cursing and late night drives to remote servers in case sshd barfs
> somehow :-)
>
> --Chris
>

Nice tip - AllowUsers added to the Wiki page on securing SSH:

http://wiki.centos.org/HowTos/Network/SecuringSSH

Thanks!

Ned
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

pop3 attack
 

On Tue, Dec 9, 2008 at 7:17 PM, Scott Silva <ssilva@sgvwater.com> wrote:
> on 12-9-2008 4:06 PM Lanny Marcus spake the following:
>> On Tue, Dec 9, 2008 at 6:33 PM, Scott Silva <ssilva-m4n3GYAQT2lWk0Htik3J/w@public.gmane.org> wrote:
>>> on 12-9-2008 3:11 PM Lanny Marcus spake the following:
>> <snip>

>> And the folks who wrote the Proprietary Language for your T1 Router
>> thought that it was perfect. :-)
> I think they thought it was perfect for their bottom line so they could sell
> support.

If it is not user friendly, they sell more support to the end users
and make more $.

> Either way, it works so corporate won't replace it.

If it ain't broke, don't fix it.

> And with the
> economic slowdown the way it is, it is one battle I'm not going to fight right
> now.

Amen...
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

pop3 attack
 

2008/12/9 James Pifer <jep@obrien-pifer.com>:
> I was looking at my maillog and it looks like someone is trying to get
> into my pop3 server.
>
> Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2


Do you really need pop3 exposed in the internet?
You better open it only on localhost, and use a ssh channel to access
it. Do not use ssh password authentication, but keys.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos