Massiv dictionary attacks from
Hello Colleges and *,
since Sunday 19:47 CEST 18 of my servers are under heavy attack. Currently I have counted over 18 million login attempts (dictionary attack) with a list of 1005 names an started with IP <50.56.180.220>. --[ '/var/log/mail.log' ]----------------------------------------------- Aug 12 19:47:32 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:47:53 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:47:54 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:47:59 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6 Aug 12 19:47:59 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:47:59 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:04 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5 Aug 12 19:48:04 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:04 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:09 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:09 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220] Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6 Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0 Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:10 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:14 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5 Aug 12 19:48:14 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:14 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220] Aug 12 19:48:16 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6 Aug 12 19:48:16 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:16 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:19 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5 Aug 12 19:48:19 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:20 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220] Aug 12 19:48:21 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5 Aug 12 19:48:21 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:21 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6 Aug 12 19:48:25 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0 <snip> ------------------------------------------------------------------------ I have encountered this problem tody, whil I saw, the logsize increased by the factor 200! Mean, my daily mail.log are arround 1.8 GByte! Also since yesterday, I get similar attacks by 3 other IPs from the USA. Does someone have encountered similar things? Note: I try to reach (a personaly known) FBI filed officer from New York since I work a PMC. Thanks, Greetings and nice Day/Evening Michelle Konzack -- ##################### Debian GNU/Linux Consultant ###################### Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing <http://www.itsystems.tamay-dogan.net/> <http://www.debian.tamay-dogan.net/> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ |
Massiv dictionary attacks from
On Tue, Aug 14, 2012 at 6:43 PM, Michelle Konzack
<linux4michelle@tamay-dogan.net> wrote: > > Hello Colleges and *, > > since Sunday 19:47 CEST 18 of my servers are under heavy attack. > > Currently I have counted over 18 million login attempts (dictionary > attack) with a list of 1005 names an started with IP <50.56.180.220>. Any reason not to use fail2ban or any similar tool to prevent those brute force attacks? -- andika -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/CANHSFsvd_-58hz=6i+Zs53VvJ3rjquGDTmRBvBUwwpJa7+mHqw@mail.gmai l.com |
Massiv dictionary attacks from
Hi,
you can use fail2ban program or block the ip by iptables manually. I'm suggestion fail2ban. it's a login attempt counter. On Tue, 2012-08-14 at 13:43 +0200, Michelle Konzack wrote: Hello Colleges and *, since Sunday 19:47 CEST 18 of my servers are under heavy attack. Currently I have counted over 18 million login attempts (dictionary attack) with a list of 1005 names an started with IP <50.56.180.220>. --[ '/var/log/mail.log' ]----------------------------------------------- Aug 12 19:47:32 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:47:53 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] ------------------------------------------------------------------------ I have encountered this problem tody, whil I saw, the logsize increased by the factor 200! Mean, my daily mail.log are arround 1.8 GByte! Also since yesterday, I get similar attacks by 3 other IPs from the USA. Does someone have encountered similar things? Note: I try to reach (a personaly known) FBI filed officer from New York since I work a PMC. Thanks, Greetings and nice Day/Evening Michelle Konzack -- M.Atıf CEYLAN Yurdum Yazılım |
Massiv dictionary attacks from
Andika Triwidada wrote at 2012-08-14 06:50 -0500:
> On Tue, Aug 14, 2012 at 6:43 PM, Michelle Konzack > <linux4michelle@tamay-dogan.net> wrote: > > > > Hello Colleges and *, > > > > since Sunday 19:47 CEST 18 of my servers are under heavy attack. > > > > Currently I have counted over 18 million login attempts (dictionary > > attack) with a list of 1005 names an started with IP <50.56.180.220>. > > Any reason not to use fail2ban or any similar tool to prevent those > brute force attacks? I think fail2ban does not yet support ipv6; the iptables recent module might do an adequate job without requiring extra software (limit number of new connection attempts from a specific IP per n seconds). |
Massiv dictionary attacks from
Fail2ban is a bad choice if you have customers who use this imap server.
Le 14 août 2012 à 18:32, green <greenfreedom10@gmail.com> a écrit : > Andika Triwidada wrote at 2012-08-14 06:50 -0500: >> On Tue, Aug 14, 2012 at 6:43 PM, Michelle Konzack >> <linux4michelle@tamay-dogan.net> wrote: >>> >>> Hello Colleges and *, >>> >>> since Sunday 19:47 CEST 18 of my servers are under heavy attack. >>> >>> Currently I have counted over 18 million login attempts (dictionary >>> attack) with a list of 1005 names an started with IP <50.56.180.220>. >> >> Any reason not to use fail2ban or any similar tool to prevent those >> brute force attacks? > > I think fail2ban does not yet support ipv6; the iptables recent module might > do an adequate job without requiring extra software (limit number of new > connection attempts from a specific IP per n seconds). -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: C0D8DE2B-CC84-4B14-B01E-13C04FC1B662@cannibalz.net">http://lists.debian.org/C0D8DE2B-CC84-4B14-B01E-13C04FC1B662@cannibalz.net |
Massiv dictionary attacks from
Hi,
Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER: > Fail2ban is a bad choice if you have customers who use this imap server. why that? You just have to change the configuration to fit your needs, as with every other software... Cheers, Gregor -- @mazing fon +49 8142 6528665 Gregor Hermens fax +49 8142 6528669 Brucker Strasse 12 gregor.hermens@a-mazing.de D-82216 Gernlinden http://www.a-mazing.de/ -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 201208141715.42135@office.a-mazing.net">http://lists.debian.org/201208141715.42135@office.a-mazing.net |
Massiv dictionary attacks from
Yes and thinking your customer never do any fault....
Le 14 août 2012 à 19:15, Gregor Hermens <gregor.hermens@a-mazing.de> a écrit : > Hi, > > Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER: >> Fail2ban is a bad choice if you have customers who use this imap server. > > why that? You just have to change the configuration to fit your needs, as with > every other software... > > Cheers, > Gregor > -- > @mazing fon +49 8142 6528665 > Gregor Hermens fax +49 8142 6528669 > Brucker Strasse 12 gregor.hermens@a-mazing.de > D-82216 Gernlinden http://www.a-mazing.de/ > > > -- > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > Archive: http://lists.debian.org/201208141715.42135@office.a-mazing.net > -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 97C05EA3-993E-4D5B-B322-2E7CF6962FED@cannibalz.net">http://lists.debian.org/97C05EA3-993E-4D5B-B322-2E7CF6962FED@cannibalz.net |
Massiv dictionary attacks from
Hello
First of all, you can whitelist your own address ranges. Second, one should keep in mind that even your own customers can catch a trojan which brute forces your mail server with 100s of authentication requests/s. To avoid WTF-situations for your customers or the support, you can weaken the thresholds a bit. Maybe to ban for only 5min after 10 wrong tries within 10s. Someone who just tries to remember what his password was, will unlikely type fast enough to be catched then. bye, -christian- On Tue, 14 Aug 2012 20:16:18 +0400 Jean-Christian BEDIER <maj@cannibalz.net> wrote: > Yes and thinking your customer never do any fault.... > > > > Le 14 août 2012 à 19:15, Gregor Hermens <gregor.hermens@a-mazing.de> a écrit : > > > Hi, > > > > Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER: > >> Fail2ban is a bad choice if you have customers who use this imap server. > > > > why that? You just have to change the configuration to fit your needs, as with > > every other software... > > > > Cheers, > > Gregor > > -- > > @mazing fon +49 8142 6528665 > > Gregor Hermens fax +49 8142 6528669 > > Brucker Strasse 12 gregor.hermens@a-mazing.de > > D-82216 Gernlinden http://www.a-mazing.de/ > > > > > > -- > > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > Archive: http://lists.debian.org/201208141715.42135@office.a-mazing.net > > > > -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20120814192508.527cc27b@sys-251.netcologne.de">http://lists.debian.org/20120814192508.527cc27b@sys-251.netcologne.de |
Massiv dictionary attacks from
Hello Jean-Christian BEDIER,
Am 2012-08-14 18:39:52, hacktest Du folgendes herunter: > Fail2ban is a bad choice if you have customers who use this imap server. Right, exspecialy if you use two or more mutt instances... Thanks, Greetings and nice Day/Evening Michelle Konzack -- ##################### Debian GNU/Linux Consultant ###################### Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing <http://www.itsystems.tamay-dogan.net/> <http://www.debian.tamay-dogan.net/> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ |
Massiv dictionary attacks from
Hello Gregor Hermens,
Am 2012-08-14 17:15:41, hacktest Du folgendes herunter: > Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER: > > Fail2ban is a bad choice if you have customers who use this imap server. > why that? You just have to change the configuration to fit your needs, as with > every other software... How dou you do this, if fail2ban does this by IP and you are on a dynamic IP like DSL or GSM? Thanks, Greetings and nice Day/Evening Michelle Konzack -- ##################### Debian GNU/Linux Consultant ###################### Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing <http://www.itsystems.tamay-dogan.net/> <http://www.debian.tamay-dogan.net/> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ |
| All times are GMT. The time now is 03:03 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.