Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian ISP (http://www.linux-archive.org/debian-isp/)
-   -   Massiv dictionary attacks from (http://www.linux-archive.org/debian-isp/693843-massiv-dictionary-attacks-rackspace-com.html)

Michelle Konzack 08-14-2012 11:43 AM

Massiv dictionary attacks from
 
Hello Colleges and *,

since Sunday 19:47 CEST 18 of my servers are under heavy attack.

Currently I have counted over 18 million login attempts (dictionary
attack) with a list of 1005 names an started with IP <50.56.180.220>.

--[ '/var/log/mail.log' ]-----------------------------------------------
Aug 12 19:47:32 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:53 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:54 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:47:59 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:47:59 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:59 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:04 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:04 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:04 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:09 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:09 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220]
Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0
Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:10 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:14 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:14 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:14 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220]
Aug 12 19:48:16 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:48:16 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:16 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:19 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:19 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:20 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220]
Aug 12 19:48:21 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:21 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:21 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:48:25 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0
<snip>
------------------------------------------------------------------------

I have encountered this problem tody, whil I saw, the logsize increased
by the factor 200! Mean, my daily mail.log are arround 1.8 GByte!

Also since yesterday, I get similar attacks by 3 other IPs from the USA.

Does someone have encountered similar things?

Note: I try to reach (a personaly known) FBI filed officer
from New York since I work a PMC.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/

Andika Triwidada 08-14-2012 11:50 AM

Massiv dictionary attacks from
 
On Tue, Aug 14, 2012 at 6:43 PM, Michelle Konzack
<linux4michelle@tamay-dogan.net> wrote:
>
> Hello Colleges and *,
>
> since Sunday 19:47 CEST 18 of my servers are under heavy attack.
>
> Currently I have counted over 18 million login attempts (dictionary
> attack) with a list of 1005 names an started with IP <50.56.180.220>.

Any reason not to use fail2ban or any similar tool to prevent those
brute force attacks?

--
andika


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CANHSFsvd_-58hz=6i+Zs53VvJ3rjquGDTmRBvBUwwpJa7+mHqw@mail.gmai l.com

Atıf CEYLAN 08-14-2012 11:51 AM

Massiv dictionary attacks from
 
Hi,

you can use fail2ban program or block the ip by iptables manually.

I'm suggestion fail2ban. it's a login attempt counter.



On Tue, 2012-08-14 at 13:43 +0200, Michelle Konzack wrote:


Hello Colleges and *,

since Sunday 19:47 CEST 18 of my servers are under heavy attack.

Currently I have counted over 18 million login attempts (dictionary
attack) with a list of 1005 names an started with IP <50.56.180.220>.

--[ '/var/log/mail.log' ]-----------------------------------------------
Aug 12 19:47:32 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:53 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
------------------------------------------------------------------------

I have encountered this problem tody, whil I saw, the logsize increased
by the factor 200! Mean, my daily mail.log are arround 1.8 GByte!

Also since yesterday, I get similar attacks by 3 other IPs from the USA.

Does someone have encountered similar things?

Note: I try to reach (a personaly known) FBI filed officer
from New York since I work a PMC.

Thanks, Greetings and nice Day/Evening
Michelle Konzack








--

M.Atıf CEYLAN

Yurdum Yazılım

green 08-14-2012 02:32 PM

Massiv dictionary attacks from
 
Andika Triwidada wrote at 2012-08-14 06:50 -0500:
> On Tue, Aug 14, 2012 at 6:43 PM, Michelle Konzack
> <linux4michelle@tamay-dogan.net> wrote:
> >
> > Hello Colleges and *,
> >
> > since Sunday 19:47 CEST 18 of my servers are under heavy attack.
> >
> > Currently I have counted over 18 million login attempts (dictionary
> > attack) with a list of 1005 names an started with IP <50.56.180.220>.
>
> Any reason not to use fail2ban or any similar tool to prevent those
> brute force attacks?

I think fail2ban does not yet support ipv6; the iptables recent module might
do an adequate job without requiring extra software (limit number of new
connection attempts from a specific IP per n seconds).

Jean-Christian BEDIER 08-14-2012 02:39 PM

Massiv dictionary attacks from
 
Fail2ban is a bad choice if you have customers who use this imap server.



Le 14 aot 2012 18:32, green <greenfreedom10@gmail.com> a crit :

> Andika Triwidada wrote at 2012-08-14 06:50 -0500:
>> On Tue, Aug 14, 2012 at 6:43 PM, Michelle Konzack
>> <linux4michelle@tamay-dogan.net> wrote:
>>>
>>> Hello Colleges and *,
>>>
>>> since Sunday 19:47 CEST 18 of my servers are under heavy attack.
>>>
>>> Currently I have counted over 18 million login attempts (dictionary
>>> attack) with a list of 1005 names an started with IP <50.56.180.220>.
>>
>> Any reason not to use fail2ban or any similar tool to prevent those
>> brute force attacks?
>
> I think fail2ban does not yet support ipv6; the iptables recent module might
> do an adequate job without requiring extra software (limit number of new
> connection attempts from a specific IP per n seconds).


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: C0D8DE2B-CC84-4B14-B01E-13C04FC1B662@cannibalz.net">http://lists.debian.org/C0D8DE2B-CC84-4B14-B01E-13C04FC1B662@cannibalz.net

Gregor Hermens 08-14-2012 03:15 PM

Massiv dictionary attacks from
 
Hi,

Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER:
> Fail2ban is a bad choice if you have customers who use this imap server.

why that? You just have to change the configuration to fit your needs, as with
every other software...

Cheers,
Gregor
--
@mazing fon +49 8142 6528665
Gregor Hermens fax +49 8142 6528669
Brucker Strasse 12 gregor.hermens@a-mazing.de
D-82216 Gernlinden http://www.a-mazing.de/


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201208141715.42135@office.a-mazing.net">http://lists.debian.org/201208141715.42135@office.a-mazing.net

Jean-Christian BEDIER 08-14-2012 04:16 PM

Massiv dictionary attacks from
 
Yes and thinking your customer never do any fault....



Le 14 aot 2012 19:15, Gregor Hermens <gregor.hermens@a-mazing.de> a crit :

> Hi,
>
> Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER:
>> Fail2ban is a bad choice if you have customers who use this imap server.
>
> why that? You just have to change the configuration to fit your needs, as with
> every other software...
>
> Cheers,
> Gregor
> --
> @mazing fon +49 8142 6528665
> Gregor Hermens fax +49 8142 6528669
> Brucker Strasse 12 gregor.hermens@a-mazing.de
> D-82216 Gernlinden http://www.a-mazing.de/
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/201208141715.42135@office.a-mazing.net
>


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 97C05EA3-993E-4D5B-B322-2E7CF6962FED@cannibalz.net">http://lists.debian.org/97C05EA3-993E-4D5B-B322-2E7CF6962FED@cannibalz.net

Christian Hammers 08-14-2012 05:25 PM

Massiv dictionary attacks from
 
Hello

First of all, you can whitelist your own address ranges.

Second, one should keep in mind that even your own customers can catch a trojan
which brute forces your mail server with 100s of authentication requests/s.

To avoid WTF-situations for your customers or the support, you can weaken the
thresholds a bit. Maybe to ban for only 5min after 10 wrong tries within 10s.
Someone who just tries to remember what his password was, will unlikely type
fast enough to be catched then.

bye,

-christian-


On Tue, 14 Aug 2012 20:16:18 +0400
Jean-Christian BEDIER <maj@cannibalz.net> wrote:

> Yes and thinking your customer never do any fault....
>
>
>
> Le 14 aot 2012 19:15, Gregor Hermens <gregor.hermens@a-mazing.de> a crit :
>
> > Hi,
> >
> > Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER:
> >> Fail2ban is a bad choice if you have customers who use this imap server.
> >
> > why that? You just have to change the configuration to fit your needs, as with
> > every other software...
> >
> > Cheers,
> > Gregor
> > --
> > @mazing fon +49 8142 6528665
> > Gregor Hermens fax +49 8142 6528669
> > Brucker Strasse 12 gregor.hermens@a-mazing.de
> > D-82216 Gernlinden http://www.a-mazing.de/
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > Archive: http://lists.debian.org/201208141715.42135@office.a-mazing.net
> >
>
>


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120814192508.527cc27b@sys-251.netcologne.de">http://lists.debian.org/20120814192508.527cc27b@sys-251.netcologne.de

Michelle Konzack 08-14-2012 10:23 PM

Massiv dictionary attacks from
 
Hello Jean-Christian BEDIER,

Am 2012-08-14 18:39:52, hacktest Du folgendes herunter:
> Fail2ban is a bad choice if you have customers who use this imap server.

Right, exspecialy if you use two or more mutt instances...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/

Michelle Konzack 08-14-2012 10:25 PM

Massiv dictionary attacks from
 
Hello Gregor Hermens,

Am 2012-08-14 17:15:41, hacktest Du folgendes herunter:
> Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER:
> > Fail2ban is a bad choice if you have customers who use this imap server.
> why that? You just have to change the configuration to fit your needs, as with
> every other software...

How dou you do this, if fail2ban does this by IP and you are on a
dynamic IP like DSL or GSM?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/


All times are GMT. The time now is 07:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.