If you offer POP service to the Internet, this is going to happen.
You could add an iptables rule to block everyone, except the IP address
of users on your system, but if their IP address changes, you get a
trouble ticket from a user who can't get their mail. You will spend
lots of time chasing your own users. Not fun.
Make sure your system is patched and built using the QMT scripts. The
firewall is very good. I run yum update weekly to keep it up to date.
What I do when this happens is look in /var/log/maillog for the IP
address of the offender. Then run whois <IP ADDR> to get the ISP of the
offender. If it is in the US/Canada, I fire off an e-mail with the logs
(/var/log/maillog) to the abuse address and I use the key words "brute
force attack on our mail server" and "please address this AUP violation
with your subscriber." If the attack is from China, I don't even waste
my time.
When I was at a web hosting company, we took these complaints seriously.
Maybe it works, maybe not. I've never had a repeat attack.
I did have a BF attack from Argentina that went on for hours. I
e-mailed the ISP and it stopped about 15 minutes later.
George Toft, CISSP, MSIS
623-203-1760
Francisco Paco Peralta wrote:
Hello list,
I am looking for a way to minimize the rogue attempts to login to my
system. Any suggestions are welcome.
I get a logwatch report every morning and have been getting the
results. While it doesn't happen every day I would like to minimize my
exposure.
See Below:
--------------------- vpopmail Begin ------------------------
No Such User Found:
*@ - 1 Time(s)
0246@ - 1 Time(s)
12345678@ - 1 Time(s)
123456@ - 1 Time(s)
1234@ - 1 Time(s)
123@ - 1 Time(s)
123abc@ - 1 Time(s)
1q2w3e@ - 1 Time(s)
a1b2c3@ - 1 Time(s)
abc123@ - 1 Time(s)
amanda@ - 1 Time(s)
andrew@ - 1 Time(s)
apple@ - 1 Time(s)
asshole@ - 1 Time(s)
bandit@ - 1 Time(s)
baseball@ - 1 Time(s)
beavis@ - 1 Time(s)
buster@ - 1 Time(s)
chris@ - 1 Time(s)
computer@ - 1 Time(s)
cowboys@ - 1 Time(s)
dakota@ - 1 Time(s)
dallas@ - 1 Time(s)
daniel@ - 1 Time(s)
david@ - 1 Time(s)
diamond@ - 1 Time(s)
dragon@ - 1 Time(s)
falcon@ - 1 Time(s)
fiction@ - 1 Time(s)
foobar@ - 1 Time(s)
fred@ - 1 Time(s)
friends@ - 1 Time(s)
george@ - 1 Time(s)
harley@ - 1 Time(s)
hatton@ - 1 Time(s)
hello@ - 1 Time(s)
hockey@ - 1 Time(s)
internet@ - 2 Time(s)
jennifer@ - 1 Time(s)
jessica@ - 1 Time(s)
jordan@ - 2 Time(s)
joshua@ - 1 Time(s)
justin@ - 1 Time(s)
maddock@ - 1 Time(s)
maggie@ - 1 Time(s)
michael@ - 1 Time(s)
michelle@ - 1 Time(s)
mickey@ - 2 Time(s)
mike@ - 1 Time(s)
monday@ - 1 Time(s)
money@ - 1 Time(s)
monkey@ - 1 Time(s)
mustang@ - 1 Time(s)
newpass@ - 1 Time(s)
newuser@ - 1 Time(s)
nicole@ - 1 Time(s)
notused@ - 1 Time(s)
orange@ - 1 Time(s)
pascal@ - 1 Time(s)
passwd@ - 1 Time(s)
password@ - 1 Time(s)
patrick@ - 1 Time(s)
pepper@ - 1 Time(s)
purple@ - 1 Time(s)
qwerty@ - 2 Time(s)
richard@ - 1 Time(s)
robert@ - 1 Time(s)
school@ - 1 Time(s)
sendit@ - 1 Time(s)
shadow@ - 1 Time(s)
silver@ - 1 Time(s)
smokey@ - 1 Time(s)
snoopy@ - 1 Time(s)
soccer@ - 1 Time(s)
sports@ - 1 Time(s)
stupid@ - 1 Time(s)
summer@ - 2 Time(s)
sunshine@ - 1 Time(s)
test@ - 1 Time(s)
thomas@ - 1 Time(s)
undead@ - 1 Time(s)
vikings@ - 1 Time(s)
wheeling@ - 1 Time(s)
**Unmatched Entries**
vchkpw-smtp: invalid user/domain characters "null":xxx.xxx.xxx.xxx
vchkpw-smtp: invalid user/domain characters [EMAIL PROTECTED]:xxx.xxx.xxx.xxx
---------------------- vpopmail End -------------------------
Francisco "Paco" Peralta
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
