FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 08-14-2012, 10:32 PM
Michelle Konzack
 
Default Massiv dictionary attacks from

Hello Atıf CEYLAN,

Am 2012-08-14 14:51:17, hacktest Du folgendes herunter:
> you can use fail2ban program or block the ip by iptables manually.
> I'm suggestion fail2ban. it's a login attempt counter.

And what do you suggest to with customers which use my storage servers
as there mailstore and fetch all uses by fetchmail?

Now I am puzzeling arround, because fail2ban block even normal Logins if
they happen to fast...

Exactly: An enterprise use the M$ Exchange server internaly, but use my
server as thre mailserver and it has 20-50 users to fetch (fetchmail).

The Exchange server does this all 10 minutes sequentialy but is very
fast as my internet connectivity (1 GE) and check without any problems
20 accounts in less then 15 seconds. BANNED! :-S Not very funny!

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/
 
Old 08-15-2012, 12:12 AM
Pigeon
 
Default Massiv dictionary attacks from

On Wed, Aug 15, 2012 at 12:25:33AM +0200, Michelle Konzack wrote:
> Hello Gregor Hermens,
>
> Am 2012-08-14 17:15:41, hacktest Du folgendes herunter:
> > Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER:
> > > Fail2ban is a bad choice if you have customers who use this imap server.
> > why that? You just have to change the configuration to fit your needs, as with
> > every other software...
>
> How dou you do this, if fail2ban does this by IP and you are on a
> dynamic IP like DSL or GSM?

fail2ban works by monitoring the log files for the application and
matching them against two sets of regexes, one to act on and one to
ignore. If it detects more than x forbidden actions in y seconds it
bans the originating IP for z seconds. You have a separate config file
for each combination of application and type of abuse. You can also
set up different actions to execute as a "ban" - it doesn't have to be
an iptables action, it can be anything executable.

Configuring it is basically a matter of configuring the logging
settings on the application you're monitoring to make sure that its
log entries contain enough information to distinguish between abusive
and non-abusive actions by means of matching against two sets of
regexes, creating a fail2ban config file containing appropriate
regexes, and choosing suitable values for x, y and z. It can be made
to consider many different kinds of activity as "abuse", not just
failed logins - I use it to block idiots in China who perform multiple
repeated downloads of the same large video file deliberately in order
to waste the decadent West's bandwidth. The main drawback with it is
that apart from the single count of forbidden actions for each IP, it
is stateless, so you can't write rules like "consider action A abusive
only if it is not preceded by action B". (At least not
straightforwardly; it is possible with some hacks eg. defining a
separate trigger corresponding to each element of the rule, whose
associated "ban action" stores/retrieves state.)

You could write three versions of the config file for a particular
kind of abuse - one which uses IP regex matching to blacklist
troublesome IP blocks and ban them aggressively, one which whitelists
IP blocks of customers and is lenient, and one of intermediate
severity to handle everything else. Or, if the application you're
monitoring has suitable white/blacklisting and logging facilities,
have the application tag its log entries to indicate a white- or
blacklisted IP/IP block, which is probably less computationally
expensive for non-trivial lists

From what you say of the abuse pattern you're seeing, though, it may
well be possible to get away with a less complicated setup and simply
discriminate on the number of abuse records in a given time. As long
as the application you're monitoring creates sufficiently informative
log entries to distinguish between successful and unsuccessful login
attempts - which I suspect we can take as a given - it ought to be
easy to pick a figure which would be rapidly exceeded by a brute force
attack, but would still allow for enough mistyped/misremembered
password attempts for even a thoroughly inept genuine user.

--
Pigeon

Be kind to pigeons
Pigeon's Nest - http://pigeonsnest.co.uk/
Lucy Pinder Television - http://www.lucy-pinder.tv/
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F
 
Old 08-15-2012, 05:28 AM
Gregor Hermens
 
Default Massiv dictionary attacks from

Hi Michelle,

Am Mittwoch, 15. August 2012 schrieb Michelle Konzack:
> Exactly: An enterprise use the M$ Exchange server internaly, but use my
> server as thre mailserver and it has 20-50 users to fetch (fetchmail).
>
> The Exchange server does this all 10 minutes sequentialy but is very
> fast as my internet connectivity (1 GE) and check without any problems
> 20 accounts in less then 15 seconds. BANNED! :-S Not very funny!

as these are successfull logins, fail2ban just ignores them.

Cheers,
Gregor
--
@mazing fon +49 8142 6528665
Gregor Hermens fax +49 8142 6528669
Brucker Strasse 12 gregor.hermens@a-mazing.de
D-82216 Gernlinden http://www.a-mazing.de/


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201208150728.51018@office.a-mazing.net">http://lists.debian.org/201208150728.51018@office.a-mazing.net
 
Old 08-15-2012, 04:09 PM
Thomas Goirand
 
Default Massiv dictionary attacks from

On 08/15/2012 06:32 AM, Michelle Konzack wrote:
> Now I am puzzeling arround, because fail2ban block even normal Logins if
> they happen to fast...

No it doesn't (or it's really a miss-configuration).

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 502BC9D3.5030708@debian.org">http://lists.debian.org/502BC9D3.5030708@debian.org
 

Thread Tools




All times are GMT. The time now is 07:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org