FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 06-17-2010, 12:26 AM
Rod
 
Default User & password scanning on pop3

Hi,

Does anyone know how to block, or auto programs in Gentoo to limit
or stop people scanning for a user/password hacking on your firewall?


Besides disabling those ports, I still need the port accessable
from the outside, and I guess they'd just try imap if pop was blocked.


I'm running iptables, postfix & courier

This has been ongoing in excess of 12 Hrs now...


Jun 17 10:25:20 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
Jun 17 10:25:21 jumpgate pop3d: LOGIN FAILED, user=dave,
ip=[::ffff:93.186.195.234]

Jun 17 10:25:26 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
Jun 17 10:25:27 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
Jun 17 10:25:27 jumpgate pop3d: LOGIN FAILED, user=dave,
ip=[::ffff:93.186.195.234]

Jun 17 10:25:33 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
Jun 17 10:25:33 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
Jun 17 10:25:34 jumpgate pop3d: LOGIN FAILED, user=dave,
ip=[::ffff:93.186.195.234]

Jun 17 10:25:39 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
Jun 17 10:25:39 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
Jun 17 10:25:40 jumpgate pop3d: LOGIN FAILED, user=dave,
ip=[::ffff:93.186.195.234]

Jun 17 10:25:45 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
Jun 17 10:25:46 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
Jun 17 10:25:46 jumpgate pop3d: LOGIN FAILED, user=dave,
ip=[::ffff:93.186.195.234]

Jun 17 10:25:52 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
Jun 17 10:25:52 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
Jun 17 10:25:53 jumpgate pop3d: LOGIN FAILED, user=dave,
ip=[::ffff:93.186.195.234]

Jun 17 10:25:58 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
Jun 17 10:25:58 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
Jun 17 10:25:59 jumpgate pop3d: LOGIN FAILED, user=dave,
ip=[::ffff:93.186.195.234]

Jun 17 10:26:04 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
Jun 17 10:26:05 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
 
Old 06-17-2010, 12:59 AM
Alex Schuster
 
Default User & password scanning on pop3

Rod writes:

> Does anyone know how to block, or auto programs in Gentoo to limit
> or stop people scanning for a user/password hacking on your firewall?

I am using net-analyzer/fail2ban. That can block an IP after some
unsuccessful login attempts. This helps a lot, but not against bot nets,
when every host tries for two times only.

> Besides disabling those ports, I still need the port accessable
> from the outside, and I guess they'd just try imap if pop was blocked.

Could you change the port to something unusual, like 1100?

Wonko
 
Old 06-17-2010, 10:02 AM
Tobias R
 
Default User & password scanning on pop3

> Hi,
> Does anyone know how to block, or auto programs in Gentoo to
> limit
> or stop people scanning for a user/password hacking on your
> firewall?

You may want to have a look at iptables and hashlimit, e.g. [1] (please
note that I never tried this by myself).

1. http://seclists.org/fulldisclosure/2006/Feb/702

Tobias
 
Old 06-17-2010, 12:30 PM
Adam
 
Default User & password scanning on pop3

>> Does anyone know how to block, or auto programs in Gentoo to
>> limit
>> or stop people scanning for a user/password hacking on your
>> firewall?

fail2ban
 
Old 06-20-2010, 11:43 PM
kashani
 
Default User & password scanning on pop3

On 6/16/2010 5:26 PM, Rod wrote:

Hi,

Does anyone know how to block, or auto programs in Gentoo to limit or
stop people scanning for a user/password hacking on your firewall?

Besides disabling those ports, I still need the port accessable from the
outside, and I guess they'd just try imap if pop was blocked.

I'm running iptables, postfix & courier


Have you considered changing over to pop3-ssl and imap-ssl? I fully
switched over about six years ago and nearly every job I've had since
has used SSL as well. I'd still recommend plain imap to be open on
localhost for webmail to interact with it, but you should have far less
problems. And less change of sniffers pulling user/pass from wireless
connections in cafes.


kashani
 
Old 06-21-2010, 12:06 AM
deface
 
Default User & password scanning on pop3

On Jun 20, 2010, at 6:43 PM, kashani wrote:

> On 6/16/2010 5:26 PM, Rod wrote:
>> Hi,
>>
>> Does anyone know how to block, or auto programs in Gentoo to limit or
>> stop people scanning for a user/password hacking on your firewall?
>>
>> Besides disabling those ports, I still need the port accessable from the
>> outside, and I guess they'd just try imap if pop was blocked.
>>
>> I'm running iptables, postfix & courier
>
> Have you considered changing over to pop3-ssl and imap-ssl? I fully switched over about six years ago and nearly every job I've had since has used SSL as well. I'd still recommend plain imap to be open on localhost for webmail to interact with it, but you should have far less problems. And less change of sniffers pulling user/pass from wireless connections in cafes.
>
> kashani
>
>
> --
> Powered by Flux Labs
> http://www.fluxlabs.net
>


Try fail2ban
 
Old 06-21-2010, 12:13 AM
Rod
 
Default User & password scanning on pop3

On 17/06/2010 10:26 AM, Rod wrote:

Hi,

Does anyone know how to block, or auto programs in Gentoo to limit
or stop people scanning for a user/password hacking on your firewall?



Hi,

Just a update, I found the program I had running "Fail2Ban" was
broken, so I have fixed that, but also closed off the pop3 server for
non "SSL" traffic...



pop3 - closed
pop3-ssl - open certificates issued to both SSL users (pop/imap)
imap-ssl open
 
Old 06-21-2010, 05:27 AM
kashani
 
Default User & password scanning on pop3

On 6/20/2010 5:06 PM, deface wrote:


Try fail2ban


How about reading the whole thread before posting a one liner?

kashani
 

Thread Tools




All times are GMT. The time now is 01:39 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org