FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 08-14-2012, 11:43 AM
Michelle Konzack
 
Default Massiv dictionary attacks from

Hello Colleges and *,

since Sunday 19:47 CEST 18 of my servers are under heavy attack.

Currently I have counted over 18 million login attempts (dictionary
attack) with a list of 1005 names an started with IP <50.56.180.220>.

--[ '/var/log/mail.log' ]-----------------------------------------------
Aug 12 19:47:32 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:53 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:54 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:47:59 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:47:59 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:59 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:04 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:04 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:04 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:09 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:09 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220]
Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0
Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:10 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:14 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:14 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:14 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220]
Aug 12 19:48:16 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:48:16 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:16 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:19 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:19 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:20 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220]
Aug 12 19:48:21 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:21 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:21 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:48:25 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0
<snip>
------------------------------------------------------------------------

I have encountered this problem tody, whil I saw, the logsize increased
by the factor 200! Mean, my daily mail.log are arround 1.8 GByte!

Also since yesterday, I get similar attacks by 3 other IPs from the USA.

Does someone have encountered similar things?

Note: I try to reach (a personaly known) FBI filed officer
from New York since I work a PMC.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/
 
Old 08-14-2012, 11:50 AM
Andika Triwidada
 
Default Massiv dictionary attacks from

On Tue, Aug 14, 2012 at 6:43 PM, Michelle Konzack
<linux4michelle@tamay-dogan.net> wrote:
>
> Hello Colleges and *,
>
> since Sunday 19:47 CEST 18 of my servers are under heavy attack.
>
> Currently I have counted over 18 million login attempts (dictionary
> attack) with a list of 1005 names an started with IP <50.56.180.220>.

Any reason not to use fail2ban or any similar tool to prevent those
brute force attacks?

--
andika


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CANHSFsvd_-58hz=6i+Zs53VvJ3rjquGDTmRBvBUwwpJa7+mHqw@mail.gmai l.com
 
Old 08-14-2012, 11:51 AM
Atıf CEYLAN
 
Default Massiv dictionary attacks from

Hi,

you can use fail2ban program or block the ip by iptables manually.

I'm suggestion fail2ban. it's a login attempt counter.



On Tue, 2012-08-14 at 13:43 +0200, Michelle Konzack wrote:


Hello Colleges and *,

since Sunday 19:47 CEST 18 of my servers are under heavy attack.

Currently I have counted over 18 million login attempts (dictionary
attack) with a list of 1005 names an started with IP <50.56.180.220>.

--[ '/var/log/mail.log' ]-----------------------------------------------
Aug 12 19:47:32 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:53 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
------------------------------------------------------------------------

I have encountered this problem tody, whil I saw, the logsize increased
by the factor 200! Mean, my daily mail.log are arround 1.8 GByte!

Also since yesterday, I get similar attacks by 3 other IPs from the USA.

Does someone have encountered similar things?

Note: I try to reach (a personaly known) FBI filed officer
from New York since I work a PMC.

Thanks, Greetings and nice Day/Evening
Michelle Konzack








--

M.Atıf CEYLAN

Yurdum Yazılım
 
Old 08-14-2012, 02:32 PM
green
 
Default Massiv dictionary attacks from

Andika Triwidada wrote at 2012-08-14 06:50 -0500:
> On Tue, Aug 14, 2012 at 6:43 PM, Michelle Konzack
> <linux4michelle@tamay-dogan.net> wrote:
> >
> > Hello Colleges and *,
> >
> > since Sunday 19:47 CEST 18 of my servers are under heavy attack.
> >
> > Currently I have counted over 18 million login attempts (dictionary
> > attack) with a list of 1005 names an started with IP <50.56.180.220>.
>
> Any reason not to use fail2ban or any similar tool to prevent those
> brute force attacks?

I think fail2ban does not yet support ipv6; the iptables recent module might
do an adequate job without requiring extra software (limit number of new
connection attempts from a specific IP per n seconds).
 
Old 08-14-2012, 02:39 PM
Jean-Christian BEDIER
 
Default Massiv dictionary attacks from

Fail2ban is a bad choice if you have customers who use this imap server.



Le 14 aot 2012 18:32, green <greenfreedom10@gmail.com> a crit :

> Andika Triwidada wrote at 2012-08-14 06:50 -0500:
>> On Tue, Aug 14, 2012 at 6:43 PM, Michelle Konzack
>> <linux4michelle@tamay-dogan.net> wrote:
>>>
>>> Hello Colleges and *,
>>>
>>> since Sunday 19:47 CEST 18 of my servers are under heavy attack.
>>>
>>> Currently I have counted over 18 million login attempts (dictionary
>>> attack) with a list of 1005 names an started with IP <50.56.180.220>.
>>
>> Any reason not to use fail2ban or any similar tool to prevent those
>> brute force attacks?
>
> I think fail2ban does not yet support ipv6; the iptables recent module might
> do an adequate job without requiring extra software (limit number of new
> connection attempts from a specific IP per n seconds).


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: C0D8DE2B-CC84-4B14-B01E-13C04FC1B662@cannibalz.net">http://lists.debian.org/C0D8DE2B-CC84-4B14-B01E-13C04FC1B662@cannibalz.net
 
Old 08-14-2012, 03:15 PM
Gregor Hermens
 
Default Massiv dictionary attacks from

Hi,

Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER:
> Fail2ban is a bad choice if you have customers who use this imap server.

why that? You just have to change the configuration to fit your needs, as with
every other software...

Cheers,
Gregor
--
@mazing fon +49 8142 6528665
Gregor Hermens fax +49 8142 6528669
Brucker Strasse 12 gregor.hermens@a-mazing.de
D-82216 Gernlinden http://www.a-mazing.de/


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201208141715.42135@office.a-mazing.net">http://lists.debian.org/201208141715.42135@office.a-mazing.net
 
Old 08-14-2012, 04:16 PM
Jean-Christian BEDIER
 
Default Massiv dictionary attacks from

Yes and thinking your customer never do any fault....



Le 14 aot 2012 19:15, Gregor Hermens <gregor.hermens@a-mazing.de> a crit :

> Hi,
>
> Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER:
>> Fail2ban is a bad choice if you have customers who use this imap server.
>
> why that? You just have to change the configuration to fit your needs, as with
> every other software...
>
> Cheers,
> Gregor
> --
> @mazing fon +49 8142 6528665
> Gregor Hermens fax +49 8142 6528669
> Brucker Strasse 12 gregor.hermens@a-mazing.de
> D-82216 Gernlinden http://www.a-mazing.de/
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/201208141715.42135@office.a-mazing.net
>


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 97C05EA3-993E-4D5B-B322-2E7CF6962FED@cannibalz.net">http://lists.debian.org/97C05EA3-993E-4D5B-B322-2E7CF6962FED@cannibalz.net
 
Old 08-14-2012, 05:25 PM
Christian Hammers
 
Default Massiv dictionary attacks from

Hello

First of all, you can whitelist your own address ranges.

Second, one should keep in mind that even your own customers can catch a trojan
which brute forces your mail server with 100s of authentication requests/s.

To avoid WTF-situations for your customers or the support, you can weaken the
thresholds a bit. Maybe to ban for only 5min after 10 wrong tries within 10s.
Someone who just tries to remember what his password was, will unlikely type
fast enough to be catched then.

bye,

-christian-


On Tue, 14 Aug 2012 20:16:18 +0400
Jean-Christian BEDIER <maj@cannibalz.net> wrote:

> Yes and thinking your customer never do any fault....
>
>
>
> Le 14 aot 2012 19:15, Gregor Hermens <gregor.hermens@a-mazing.de> a crit :
>
> > Hi,
> >
> > Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER:
> >> Fail2ban is a bad choice if you have customers who use this imap server.
> >
> > why that? You just have to change the configuration to fit your needs, as with
> > every other software...
> >
> > Cheers,
> > Gregor
> > --
> > @mazing fon +49 8142 6528665
> > Gregor Hermens fax +49 8142 6528669
> > Brucker Strasse 12 gregor.hermens@a-mazing.de
> > D-82216 Gernlinden http://www.a-mazing.de/
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > Archive: http://lists.debian.org/201208141715.42135@office.a-mazing.net
> >
>
>


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120814192508.527cc27b@sys-251.netcologne.de">http://lists.debian.org/20120814192508.527cc27b@sys-251.netcologne.de
 
Old 08-14-2012, 10:23 PM
Michelle Konzack
 
Default Massiv dictionary attacks from

Hello Jean-Christian BEDIER,

Am 2012-08-14 18:39:52, hacktest Du folgendes herunter:
> Fail2ban is a bad choice if you have customers who use this imap server.

Right, exspecialy if you use two or more mutt instances...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/
 
Old 08-14-2012, 10:25 PM
Michelle Konzack
 
Default Massiv dictionary attacks from

Hello Gregor Hermens,

Am 2012-08-14 17:15:41, hacktest Du folgendes herunter:
> Am Dienstag, 14. August 2012 schrieb Jean-Christian BEDIER:
> > Fail2ban is a bad choice if you have customers who use this imap server.
> why that? You just have to change the configuration to fit your needs, as with
> every other software...

How dou you do this, if fail2ban does this by IP and you are on a
dynamic IP like DSL or GSM?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/
 

Thread Tools




All times are GMT. The time now is 11:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org