Re: Connection throttling POP3.
On Tue, May 22, 2007 at 11:14:49AM -0400, Robert Banz wrote: *security people seem to obsess on perfect solutions. It bothers me. No, _real_ security people know that there is NO perfect solution. You always have to balance the cost of the defenses with the cost of the thing you want to protect. Gabor -- - MTA SZTAKI Computer and Automation Research Institute Hungarian Academy of Sciences - Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
David S. Madole wrote: If you are talking about the suggestion I made, which looked like this: iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --update --seconds 60 -j DROP iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --set -j ACCEPT then you did not read it right. It limits to one connection per IP address per minute. Each source address is kept track of in enforcing the limit. Using the --hitcount option in addition to the --seconds option, you can also create limits such as a maximum of four connections in two minutes, etc. David Wow, I never played with recent before but it's quite handy. Thanks for pointing this out. I'm already added a number of rules to protect various things. schu Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: Connection throttling POP3.
You need -I to make shure the rule get inserted before any accept. $EXTIF is your interface facing the bad guys. iptables -I INPUT -i $EXTIF -s $IP -j DROP iptables -I FORWARD -i $EXTIF -s $IP -j DROP On Mon, May 21, 2007 21:43, Jonathan Villa wrote: For a temporary solution... use IPTABLES iptables -s 83.209.35.32 -j DROP or something like that. I think that will drop ALL connections from the IP. - Original Message - From: Matthew Schumacher [EMAIL PROTECTED] Sent: Mon, 5/21/2007 2:40pm To: info-cyrus@lists.andrew.cmu.edu Subject: Connection throttling POP3. List, I'm getting some spammer trying to guess usernames and passwords: May 21 11:01:55 larry pop3[5845]: badlogin: [83.209.35.32] plaintext bob SASL(-13): authentication failure: checkpass failed May 21 11:01:54 larry pop3[5860]: badlogin: [83.209.35.32] plaintext complaints SASL(-13): authentication failure: checkpass failed May 21 11:01:56 larry pop3[5922]: badlogin: [83.209.35.32] plaintext diablo SASL(-13): authentication failure: checkpass failed May 21 11:01:58 larry pop3[5924]: badlogin: [83.209.35.32] plaintext darren SASL(-13): authentication failure: checkpass failed May 21 11:02:00 larry pop3[5927]: badlogin: [83.209.35.32] plaintext dallas SASL(-13): authentication failure: checkpass failed May 21 11:02:00 larry pop3[5939]: badlogin: [83.209.35.32] plaintext edgar SASL(-13): authentication failure: checkpass failed May 21 11:02:01 larry pop3[5945]: badlogin: [83.209.35.32] plaintext cristopher SASL(-13): authentication failure: checkpass failed May 21 11:02:02 larry pop3[5965]: badlogin: [83.209.35.32] plaintext easter SASL(-13): authentication failure: checkpass failed May 21 11:02:10 larry pop3[5964]: badlogin: [83.209.35.32] plaintext felicia SASL(-13): authentication failure: checkpass failed And this spammer is racking up a zillion processes which is killing my machine. I need a way to throttle this somehow where he is only allowed one connection per IP at a time, or perhaps a way to ignore them after so many invalid passwords. Anyone know of a way to do this? schu Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
We do the same but there is an issues. One File::Tail delays polling the log for up to 30 seconds unless you tell it otherwise. So it will allow a number of attempts before reading the log. If you increase the polling you add load to the system. Not much but some. We like the idea of adding the timer to iptables along with logging so the address can be tracked. If the address comes back then it can be added to a permanent block. Phil On Mon, 2007-05-21 at 21:12, Robert Banz wrote: On May 21, 2007, at 21:50, Daniel O'Connor wrote: On Tuesday 22 May 2007 05:10, Matthew Schumacher wrote: I'm getting some spammer trying to guess usernames and passwords: I use the following to protect my SSH server (well not the SSH server per se, just me reading logfiles the next day) http://www.gsoft.com.au/~doconnor/brute-force-mitigation.html Needs PF though. I take the approach of having a perl script (yay! File::Tail) sit and watch the logs on each server looking for signs of ssh (could easily be used for other things like pop as well) brute force attacks. A certain # of failed logins in a time window from a single IP will cause that IP to get blocked by ipfilter for an appropriate period of time, after which the block is removed. This stops most of your brute-force guessers; after a few tries of having their packets end up on the floor, they go away. -rob Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
On May 22, 2007, at 10:34, Philip H. O'Neill wrote: We do the same but there is an issues. One File::Tail delays polling the log for up to 30 seconds unless you tell it otherwise. So it will allow a number of attempts before reading the log. If you increase the polling you add load to the system. Not much but some. We like the idea of adding the timer to iptables along with logging so the address can be tracked. If the address comes back then it can be added to a permanent block. We're not running this on linux (no iptables) but using Solaris' ipfilter. The timer function seems nice; we just have the daemon keep a database of the 'bad' ips and release the block whenever one times out. It's not, by any means, the perfect solution* -- there is no such thing. However, it's quick, easy, and stops 99% of your problems. *security people seem to obsess on perfect solutions. It bothers me. -rob Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
Matthew Schumacher wrote: May 21 11:02:01 larry pop3[5945]: badlogin: [83.209.35.32] plaintext cristopher SASL(-13): authentication failure: checkpass failed May 21 11:02:02 larry pop3[5965]: badlogin: [83.209.35.32] plaintext easter SASL(-13): authentication failure: checkpass failed May 21 11:02:10 larry pop3[5964]: badlogin: [83.209.35.32] plaintext felicia SASL(-13): authentication failure: checkpass failed And this spammer is racking up a zillion processes which is killing my machine. I need a way to throttle this somehow where he is only allowed one connection per IP at a time, or perhaps a way to ignore them after so many invalid passwords. I suggest iptables as well. I use the following rule to limit SSH connections attempts to 1/minute in average, though a burst of 3/min is allowed: iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m limit --limit 1/min --limit-burst 3 -j ACCEPT Of course you need to combine this with a DROP policy. You could also use connlimit: Allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Please have a look at iptables(8) for more detailed instructions :-) Peter Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
David S. Madole wrote: From Matthew Schumacher on Monday, May 21, 2007 6:35 PM I agree with Blake, while I can do it with IPtables it's not a good solution. The first iptables suggestion blocked the offending IP, which is fine, but also requires me to babysit the server. The second suggestion would correctly limit connections, but if I'm reading it right, would lump all connections together, not just connections per originating IP address. If you are talking about the suggestion I made, which looked like this: iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --update --seconds 60 -j DROP iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --set -j ACCEPT then you did not read it right. It limits to one connection per IP address per minute. Each source address is kept track of in enforcing the limit. Using the --hitcount option in addition to the --seconds option, you can also create limits such as a maximum of four connections in two minutes, etc. David This must be something that the recent module does. I'll do some testing Thanks for the helpful suggestion, it looks very promising. schu Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: Connection throttling POP3.
For a temporary solution... use IPTABLES iptables -s 83.209.35.32 -j DROP or something like that. I think that will drop ALL connections from the IP. - Original Message - From: Matthew Schumacher [EMAIL PROTECTED] Sent: Mon, 5/21/2007 2:40pm To: info-cyrus@lists.andrew.cmu.edu Subject: Connection throttling POP3. List, I'm getting some spammer trying to guess usernames and passwords: May 21 11:01:55 larry pop3[5845]: badlogin: [83.209.35.32] plaintext bob SASL(-13): authentication failure: checkpass failed May 21 11:01:54 larry pop3[5860]: badlogin: [83.209.35.32] plaintext complaints SASL(-13): authentication failure: checkpass failed May 21 11:01:56 larry pop3[5922]: badlogin: [83.209.35.32] plaintext diablo SASL(-13): authentication failure: checkpass failed May 21 11:01:58 larry pop3[5924]: badlogin: [83.209.35.32] plaintext darren SASL(-13): authentication failure: checkpass failed May 21 11:02:00 larry pop3[5927]: badlogin: [83.209.35.32] plaintext dallas SASL(-13): authentication failure: checkpass failed May 21 11:02:00 larry pop3[5939]: badlogin: [83.209.35.32] plaintext edgar SASL(-13): authentication failure: checkpass failed May 21 11:02:01 larry pop3[5945]: badlogin: [83.209.35.32] plaintext cristopher SASL(-13): authentication failure: checkpass failed May 21 11:02:02 larry pop3[5965]: badlogin: [83.209.35.32] plaintext easter SASL(-13): authentication failure: checkpass failed May 21 11:02:10 larry pop3[5964]: badlogin: [83.209.35.32] plaintext felicia SASL(-13): authentication failure: checkpass failed And this spammer is racking up a zillion processes which is killing my machine. I need a way to throttle this somehow where he is only allowed one connection per IP at a time, or perhaps a way to ignore them after so many invalid passwords. Anyone know of a way to do this? schu Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
Andrew Morgan wrote: On Mon, 21 May 2007, Matthew Schumacher wrote: List, And this spammer is racking up a zillion processes which is killing my machine. I need a way to throttle this somehow where he is only allowed one connection per IP at a time, or perhaps a way to ignore them after so many invalid passwords. Anyone know of a way to do this? You can use tcp-wrappers to block connections from that IP address entirely. I believe there are also some solutions to monitor connections and automatically add IP addresses to the /etc/hosts.deny file, but I've never used them myself. Andy These types of threats are becoming more and more common and in reaction awareness is increasing and more software seems to be implementing mechanisms to cope. I would personally love to see Cyrus implement some sort of connection limit or throttling per IP/network/user. The current process limits do help ensure that one daemon does not make the machine unusable, but does nothing to prevent a DoS attack. -Blake Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
Andrew Morgan wrote: I believe there are also some solutions to monitor connections and automatically add IP addresses to the /etc/hosts.deny file, but I've never used them myself. Fail2ban will do this (and more) see http://fail2ban.sourceforge.net/ If your system uses PAM, it's also worth taking a look at pam_abl - see http://www.hexten.net/wiki/index.php/Pam_abl Ben Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
On Mon, May 21, 2007 at 03:36:34PM -0500, Blake Hudson wrote: Andrew Morgan wrote: On Mon, 21 May 2007, Matthew Schumacher wrote: And this spammer is racking up a zillion processes which is killing my machine. I need a way to throttle this somehow where he is only allowed one connection per IP at a time, or perhaps a way to ignore them after so many invalid passwords. One-connection-per-IP only works when the users have individual IP addresses. If they're on a multi-user server or behind a proxy server, this won't work. You can use tcp-wrappers to block connections from that IP address entirely. I believe there are also some solutions to monitor connections and automatically add IP addresses to the /etc/hosts.deny file, but I've never used them myself. These types of threats are becoming more and more common and in reaction awareness is increasing and more software seems to be implementing mechanisms to cope. I would personally love to see Cyrus implement some sort of connection limit or throttling per IP/network/user. The current process limits do help ensure that one daemon does not make the machine unusable, but does nothing to prevent a DoS attack. One thing that should be done is to report the behavior to the relevant ISP. If they don't know what their customer is doing, they're not likely to take any actions. I realize that sometimes complaining is futile, but sometimes it has the desired effect. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: Connection throttling POP3.
On Mon, 21 May 2007, Matthew Schumacher wrote: List, And this spammer is racking up a zillion processes which is killing my machine. I need a way to throttle this somehow where he is only allowed one connection per IP at a time, or perhaps a way to ignore them after so many invalid passwords. Anyone know of a way to do this? If you are on Linux, you can do something like this, which I use for SSH for the same reasons: iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --update --seconds 60 -j DROP iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --set -j ACCEPT This limits connections to once a minute. David Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
Blake Hudson wrote: These types of threats are becoming more and more common and in reaction awareness is increasing and more software seems to be implementing mechanisms to cope. I would personally love to see Cyrus implement some sort of connection limit or throttling per IP/network/user. The current process limits do help ensure that one daemon does not make the machine unusable, but does nothing to prevent a DoS attack. -Blake I agree with Blake, while I can do it with IPtables it's not a good solution. The first iptables suggestion blocked the offending IP, which is fine, but also requires me to babysit the server. The second suggestion would correctly limit connections, but if I'm reading it right, would lump all connections together, not just connections per originating IP address. The pam suggestion doesn't really free up processes since the connections would still be made, not to mention that I'm not using pam, so that is pretty much out. Fail2ban is interesting (I could whip this up in perl in 10 minutes) but it's kind of a hack. In the end it would be best to have this part of cyrus. That way we can do different things based on number of connections in a time period, number of simultaneous connections, or password failure. Perhaps someone can add it to the wish list, I would write it myself except my C skills are lacking. Perhaps I'll just write some perl hack to scan the logs until there is a better way to do it. Thanks, schu Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: Connection throttling POP3.
From Matthew Schumacher on Monday, May 21, 2007 6:35 PM I agree with Blake, while I can do it with IPtables it's not a good solution. The first iptables suggestion blocked the offending IP, which is fine, but also requires me to babysit the server. The second suggestion would correctly limit connections, but if I'm reading it right, would lump all connections together, not just connections per originating IP address. If you are talking about the suggestion I made, which looked like this: iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --update --seconds 60 -j DROP iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --set -j ACCEPT then you did not read it right. It limits to one connection per IP address per minute. Each source address is kept track of in enforcing the limit. Using the --hitcount option in addition to the --seconds option, you can also create limits such as a maximum of four connections in two minutes, etc. David Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
David S. Madole wrote: From Matthew Schumacher on Monday, May 21, 2007 6:35 PM The first iptables suggestion blocked the offending IP, which is fine, but also requires me to babysit the server. The second suggestion would correctly limit connections, but if I'm reading it right, would lump all connections together, not just connections per originating IP address. If you are talking about the suggestion I made, which looked like this: iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --update --seconds 60 -j DROP iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m recent --set -j ACCEPT then you did not read it right. It limits to one connection per IP address per minute. Each source address is kept track of in enforcing the limit. Using the --hitcount option in addition to the --seconds option, you can also create limits such as a maximum of four connections in two minutes, etc. I also use this for blocking brute force SSH attacks, and can't understand why anyone would choose a log parsing script instead. It stops them dead in their tracks (even with a much lower time limit). It would be interesting if it could also be applied to POP3. Your logs indicate that a much lower time limit would suffice (not sure why your second line is -1 seconds after the first, though). Even if the protocol allows it, I'm willing to bet you'll find some brain-dead mail client that has problems, though. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
On Tuesday 22 May 2007 05:10, Matthew Schumacher wrote: I'm getting some spammer trying to guess usernames and passwords: I use the following to protect my SSH server (well not the SSH server per se, just me reading logfiles the next day) http://www.gsoft.com.au/~doconnor/brute-force-mitigation.html Needs PF though. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C pgpCNbYuzk652.pgp Description: PGP signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Connection throttling POP3.
On May 21, 2007, at 21:50, Daniel O'Connor wrote: On Tuesday 22 May 2007 05:10, Matthew Schumacher wrote: I'm getting some spammer trying to guess usernames and passwords: I use the following to protect my SSH server (well not the SSH server per se, just me reading logfiles the next day) http://www.gsoft.com.au/~doconnor/brute-force-mitigation.html Needs PF though. I take the approach of having a perl script (yay! File::Tail) sit and watch the logs on each server looking for signs of ssh (could easily be used for other things like pop as well) brute force attacks. A certain # of failed logins in a time window from a single IP will cause that IP to get blocked by ipfilter for an appropriate period of time, after which the block is removed. This stops most of your brute-force guessers; after a few tries of having their packets end up on the floor, they go away. -rob Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
