Re: [qmailtoaster] Denial of Service on POP3

[Pak Ogah]

On 08/05/11 1:08, Délsio Cabá wrote:

Just a small contribution
Wiki has something wrong
instead of:
failregex = vchkpw-smtp: vpopmail user not found .*:

it should be

failregex = vchkpw-pop3: vpopmail user not found .*:


thanks.. that a big contribution,
otherwise the rule is not running properly

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Denial of Service on POP3

[Délsio Cabá]

Just a small contribution
Wiki has something wrong
instead of:

failregex = vchkpw-smtp: vpopmail user not found .*:

it should be

failregex = vchkpw-pop3: vpopmail user not found .*:



On 3 August 2011 06:16, Pak Ogah  wrote:

> On 08/02/11 12:54, nishant amin wrote:
>
>> hi all
>> i am attaching my jail.conf  and pop.conf for qmail pop3 (this is
>> working for me)
>> may be you can edit it to your needs
>>
>> [root@mail ~]# cat /etc/fail2ban/jail.conf
>>
>>
>> [pop3]
>> enabled  = true
>> filter   = pop3
>> action   = iptables[name=pop3, port=110, protocol=tcp]
>> logpath  = /var/log/maillog
>> maxretry = 3
>> bantime  = 86400
>> findtime = 3600
>> ignoreip = 127.0.0.1 (you can put any other ip you want hear)
>> backend = auto
>>
>>
>>
>> root@mail ~]# cat /etc/fail2ban/filter.d/pop3.**conf
>>
>> [Definition]
>> #Looks for failed password logins to SMTP
>> failregex = vchkpw-pop3: password fail ([^)]*) [^@]*@[^:]*:
>> ignoreregex =
>>
>>
>>
>> regards
>> NIshant Amin
>>
>>
>>  Hi Nishant,
> does your rule the same with the one on
> http://wiki.qmailtoaster.com/**index.php/Fail2Ban
>
> if not, then can please add to wiki.
> and if possible other fail2ban rules that you used to protect your qmt box.
>
> I am thinking fail2ban and rules-related to qmt should be in qmt stock.
> what do you think?
>
>
> --**--**
> -
> Qmailtoaster is sponsored by Vickers Consulting Group (
> www.vickersconsulting.com)
>   Vickers Consulting Group offers Qmailtoaster support and installations.
> If you need professional help with your setup, contact them today!
> --**--**
> -
>Please visit qmailtoaster.com for the latest news, updates, and
> packages.
> To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@**
> qmailtoaster.com 
>For additional commands, e-mail: qmailtoaster-list-help@**
> qmailtoaster.com 
>
>
>

Re: [qmailtoaster] Denial of Service on POP3

[Pak Ogah]

On 08/02/11 12:54, nishant amin wrote:

hi all
i am attaching my jail.conf  and pop.conf for qmail pop3 (this is
working for me)
may be you can edit it to your needs

[root@mail ~]# cat /etc/fail2ban/jail.conf


[pop3]
enabled  = true
filter   = pop3
action   = iptables[name=pop3, port=110, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
ignoreip = 127.0.0.1 (you can put any other ip you want hear)
backend = auto



root@mail ~]# cat /etc/fail2ban/filter.d/pop3.conf

[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-pop3: password fail ([^)]*) [^@]*@[^:]*:
ignoreregex =



regards
NIshant Amin



Hi Nishant,
does your rule the same with the one on
http://wiki.qmailtoaster.com/index.php/Fail2Ban

if not, then can please add to wiki.
and if possible other fail2ban rules that you used to protect your qmt box.

I am thinking fail2ban and rules-related to qmt should be in qmt stock.
what do you think?

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Denial of Service on POP3

[nishant amin]

its an extract from the file.i have just copied the part that deals with pop3
regards
NIshant Amin

On Tue, Aug 2, 2011 at 8:59 AM, James Beam  wrote:
> Never mind...too late at night for me...somehow like magik I failed to see it 
> in your email...time for bed!
>
> -Original Message-
> From: nishant amin [mailto:igonish...@gmail.com]
> Sent: Tuesday, August 02, 2011 12:55 AM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] Denial of Service on POP3
>
> hi all
> i am attaching my jail.conf  and pop.conf for qmail pop3 (this is working for 
> me) may be you can edit it to your needs
>
> [root@mail ~]# cat /etc/fail2ban/jail.conf
>
>
> [pop3]
> enabled  = true
> filter   = pop3
> action   = iptables[name=pop3, port=110, protocol=tcp]
> logpath  = /var/log/maillog
> maxretry = 3
> bantime  = 86400
> findtime = 3600
> ignoreip = 127.0.0.1 (you can put any other ip you want hear) backend = auto
>
>
>
> root@mail ~]# cat /etc/fail2ban/filter.d/pop3.conf
>
> [Definition]
> #Looks for failed password logins to SMTP failregex = vchkpw-pop3: password 
> fail ([^)]*) [^@]*@[^:]*: ignoreregex =
>
>
>
> regards
> NIshant Amin
>
> On Tue, Aug 2, 2011 at 7:08 AM, James Beam  wrote:
>> They mean share your jail config for pop3 to get it working with Qmail
>> - I have been curious of that myself...
>>
>>
>>
>> I use Fail2Ban on all my linux boxes - just never got it to work with
>> qmail
>> pop3 or pop3ssl...
>>
>>
>>
>> Imap would be nice too!
>>
>>
>>
>>
>>
>> From: Délsio Cabá [mailto:del...@gmail.com]
>> Sent: Monday, August 01, 2011 11:06 PM
>> To: qmailtoaster-list@qmailtoaster.com
>> Subject: Re: [qmailtoaster] Denial of Service on POP3
>>
>>
>>
>> Hi,
>>
>> Thanks for the reply. Is there any chance you could share with us the
>> pop3 filter code for qmail?
>>
>> Thanks for any help :)
>>
>> On 1 August 2011 12:50,  wrote:
>>
>> Fail2ban can be downloaded from YUM
>>
>> You need to change some settings in the config files to match your
>> requirements. Its also has settings for bantime, who to mail when
>> someone gets banned (ip adress), it uses iptables to update blocking schemes.
>>
>> I use fail2ban for pop3, smtp, ftp
>>
>> B/R Ole
>> Using two latest Centos dists with QMT and Fail2Ban enabled.
>>
>>> Thanks,
>>> But what if they are from different IP or I don't even get aware of
>>> the attack?
>>>
>>> I think the best approach would be to use fail2ban. So I need someone
>>> that already has a rule
>>>
>>> Thanks
>>>
>>> On 29 July 2011 16:16, Sergio Rosa  wrote:
>>>
>>>> block them at the fw level. or place an iptables rules on your host.
>>>> This
>>>> will do the job if the source ip is the same all the time.
>>>>
>>>> ---
>>>> Thank you,
>>>> Sérgio Rosa
>>>>
>>>> T. +351 91348 9195
>>>> @. sergior...@awd.pt
>>>>
>>>> AWD - Arq. Web e Design, Unip. Lda
>>>> R. Moinho Velho, 19, 2ºDto
>>>> 2655-242 Ericeira
>>>> http://www.awd.pt
>>>>
>>>>
>>>> On Fri, 29 Jul 2011 16:10:08 +0200, Délsio Cabá wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I see these logs on pop3:
>>>>> @40004e32be9f2581381c tcpserver: ok 19434
>>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3912
>>>>> @40004e32bea00e2281e4 tcpserver: end 19433 status 256
>>>>> @40004e32bea00e22f32c tcpserver: status: 3/200
>>>>>  @40004e32bea020c630ac tcpserver: end 19434 status 256
>>>>> @40004e32bea020c63c64 tcpserver: status: 2/200
>>>>> @40004e32bea11ed14264 tcpserver: status: 3/200
>>>>> @40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
>>>>>  @40004e32bea11edeb7b4 tcpserver: ok 19449
>>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3970
>>>>> @40004e32bea21499cfb4 tcpserver: end 19449 status 256
>>>>> @40004e32bea21499df54 tcpserver: status: 2/200
>>>>>  @40004e32bea312f84ce4 tcpserver: status: 3/200
>>>>> @40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
>>>>> @40004e32bea312f86454 tcpserv

RE: [qmailtoaster] Denial of Service on POP3

[James Beam]

Never mind...too late at night for me...somehow like magik I failed to see it 
in your email...time for bed!

-Original Message-
From: nishant amin [mailto:igonish...@gmail.com]
Sent: Tuesday, August 02, 2011 12:55 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Denial of Service on POP3

hi all
i am attaching my jail.conf  and pop.conf for qmail pop3 (this is working for 
me) may be you can edit it to your needs

[root@mail ~]# cat /etc/fail2ban/jail.conf


[pop3]
enabled  = true
filter   = pop3
action   = iptables[name=pop3, port=110, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
ignoreip = 127.0.0.1 (you can put any other ip you want hear) backend = auto



root@mail ~]# cat /etc/fail2ban/filter.d/pop3.conf

[Definition]
#Looks for failed password logins to SMTP failregex = vchkpw-pop3: password 
fail ([^)]*) [^@]*@[^:]*: ignoreregex =



regards
NIshant Amin

On Tue, Aug 2, 2011 at 7:08 AM, James Beam  wrote:
> They mean share your jail config for pop3 to get it working with Qmail
> - I have been curious of that myself...
>
>
>
> I use Fail2Ban on all my linux boxes - just never got it to work with
> qmail
> pop3 or pop3ssl...
>
>
>
> Imap would be nice too!
>
>
>
>
>
> From: Délsio Cabá [mailto:del...@gmail.com]
> Sent: Monday, August 01, 2011 11:06 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] Denial of Service on POP3
>
>
>
> Hi,
>
> Thanks for the reply. Is there any chance you could share with us the
> pop3 filter code for qmail?
>
> Thanks for any help :)
>
> On 1 August 2011 12:50,  wrote:
>
> Fail2ban can be downloaded from YUM
>
> You need to change some settings in the config files to match your
> requirements. Its also has settings for bantime, who to mail when
> someone gets banned (ip adress), it uses iptables to update blocking schemes.
>
> I use fail2ban for pop3, smtp, ftp
>
> B/R Ole
> Using two latest Centos dists with QMT and Fail2Ban enabled.
>
>> Thanks,
>> But what if they are from different IP or I don't even get aware of
>> the attack?
>>
>> I think the best approach would be to use fail2ban. So I need someone
>> that already has a rule
>>
>> Thanks
>>
>> On 29 July 2011 16:16, Sergio Rosa  wrote:
>>
>>> block them at the fw level. or place an iptables rules on your host.
>>> This
>>> will do the job if the source ip is the same all the time.
>>>
>>> ---
>>> Thank you,
>>> Sérgio Rosa
>>>
>>> T. +351 91348 9195
>>> @. sergior...@awd.pt
>>>
>>> AWD - Arq. Web e Design, Unip. Lda
>>> R. Moinho Velho, 19, 2ºDto
>>> 2655-242 Ericeira
>>> http://www.awd.pt
>>>
>>>
>>> On Fri, 29 Jul 2011 16:10:08 +0200, Délsio Cabá wrote:
>>>
>>>> Hi,
>>>>
>>>> I see these logs on pop3:
>>>> @40004e32be9f2581381c tcpserver: ok 19434
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3912
>>>> @40004e32bea00e2281e4 tcpserver: end 19433 status 256
>>>> @40004e32bea00e22f32c tcpserver: status: 3/200
>>>>  @40004e32bea020c630ac tcpserver: end 19434 status 256
>>>> @40004e32bea020c63c64 tcpserver: status: 2/200
>>>> @40004e32bea11ed14264 tcpserver: status: 3/200
>>>> @40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
>>>>  @40004e32bea11edeb7b4 tcpserver: ok 19449
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3970
>>>> @40004e32bea21499cfb4 tcpserver: end 19449 status 256
>>>> @40004e32bea21499df54 tcpserver: status: 2/200
>>>>  @40004e32bea312f84ce4 tcpserver: status: 3/200
>>>> @40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
>>>> @40004e32bea312f86454 tcpserver: ok 19456
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4024
>>>>  @40004e32bea409545fd4 tcpserver: end 19456 status 256
>>>> @40004e32bea409546f74 tcpserver: status: 2/200
>>>> @40004e32bea5084443ac tcpserver: status: 3/200
>>>> @40004e32bea50844534c tcpserver: pid 19462 from 203.200.117.65
>>>>  @40004e32bea508445f04 tcpserver: ok 19462
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4092
>>>>
>>>> It seams to be a dos.
>>>> For smtp I use fail2ban.
>>>> Anyone knows how to block these IP using by creating a rule on
>>>> fail2ban?
>

RE: [qmailtoaster] Denial of Service on POP3

[James Beam]

Lol either the attachment failed or it got bonked.


-Original Message-
From: nishant amin [mailto:igonish...@gmail.com]
Sent: Tuesday, August 02, 2011 12:55 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Denial of Service on POP3

hi all
i am attaching my jail.conf  and pop.conf for qmail pop3 (this is working for 
me) may be you can edit it to your needs

[root@mail ~]# cat /etc/fail2ban/jail.conf


[pop3]
enabled  = true
filter   = pop3
action   = iptables[name=pop3, port=110, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
ignoreip = 127.0.0.1 (you can put any other ip you want hear) backend = auto



root@mail ~]# cat /etc/fail2ban/filter.d/pop3.conf

[Definition]
#Looks for failed password logins to SMTP failregex = vchkpw-pop3: password 
fail ([^)]*) [^@]*@[^:]*: ignoreregex =



regards
NIshant Amin

On Tue, Aug 2, 2011 at 7:08 AM, James Beam  wrote:
> They mean share your jail config for pop3 to get it working with Qmail
> - I have been curious of that myself...
>
>
>
> I use Fail2Ban on all my linux boxes - just never got it to work with
> qmail
> pop3 or pop3ssl...
>
>
>
> Imap would be nice too!
>
>
>
>
>
> From: Délsio Cabá [mailto:del...@gmail.com]
> Sent: Monday, August 01, 2011 11:06 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] Denial of Service on POP3
>
>
>
> Hi,
>
> Thanks for the reply. Is there any chance you could share with us the
> pop3 filter code for qmail?
>
> Thanks for any help :)
>
> On 1 August 2011 12:50,  wrote:
>
> Fail2ban can be downloaded from YUM
>
> You need to change some settings in the config files to match your
> requirements. Its also has settings for bantime, who to mail when
> someone gets banned (ip adress), it uses iptables to update blocking schemes.
>
> I use fail2ban for pop3, smtp, ftp
>
> B/R Ole
> Using two latest Centos dists with QMT and Fail2Ban enabled.
>
>> Thanks,
>> But what if they are from different IP or I don't even get aware of
>> the attack?
>>
>> I think the best approach would be to use fail2ban. So I need someone
>> that already has a rule
>>
>> Thanks
>>
>> On 29 July 2011 16:16, Sergio Rosa  wrote:
>>
>>> block them at the fw level. or place an iptables rules on your host.
>>> This
>>> will do the job if the source ip is the same all the time.
>>>
>>> ---
>>> Thank you,
>>> Sérgio Rosa
>>>
>>> T. +351 91348 9195
>>> @. sergior...@awd.pt
>>>
>>> AWD - Arq. Web e Design, Unip. Lda
>>> R. Moinho Velho, 19, 2ºDto
>>> 2655-242 Ericeira
>>> http://www.awd.pt
>>>
>>>
>>> On Fri, 29 Jul 2011 16:10:08 +0200, Délsio Cabá wrote:
>>>
>>>> Hi,
>>>>
>>>> I see these logs on pop3:
>>>> @40004e32be9f2581381c tcpserver: ok 19434
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3912
>>>> @40004e32bea00e2281e4 tcpserver: end 19433 status 256
>>>> @40004e32bea00e22f32c tcpserver: status: 3/200
>>>>  @40004e32bea020c630ac tcpserver: end 19434 status 256
>>>> @40004e32bea020c63c64 tcpserver: status: 2/200
>>>> @40004e32bea11ed14264 tcpserver: status: 3/200
>>>> @40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
>>>>  @40004e32bea11edeb7b4 tcpserver: ok 19449
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3970
>>>> @40004e32bea21499cfb4 tcpserver: end 19449 status 256
>>>> @40004e32bea21499df54 tcpserver: status: 2/200
>>>>  @40004e32bea312f84ce4 tcpserver: status: 3/200
>>>> @40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
>>>> @40004e32bea312f86454 tcpserver: ok 19456
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4024
>>>>  @40004e32bea409545fd4 tcpserver: end 19456 status 256
>>>> @40004e32bea409546f74 tcpserver: status: 2/200
>>>> @40004e32bea5084443ac tcpserver: status: 3/200
>>>> @40004e32bea50844534c tcpserver: pid 19462 from 203.200.117.65
>>>>  @40004e32bea508445f04 tcpserver: ok 19462
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4092
>>>>
>>>> It seams to be a dos.
>>>> For smtp I use fail2ban.
>>>> Anyone knows how to block these IP using by creating a rule on
>>>> fail2ban?
>

Re: [qmailtoaster] Denial of Service on POP3

[nishant amin]

hi all
i am attaching my jail.conf  and pop.conf for qmail pop3 (this is
working for me)
may be you can edit it to your needs

[root@mail ~]# cat /etc/fail2ban/jail.conf


[pop3]
enabled  = true
filter   = pop3
action   = iptables[name=pop3, port=110, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
ignoreip = 127.0.0.1 (you can put any other ip you want hear)
backend = auto



root@mail ~]# cat /etc/fail2ban/filter.d/pop3.conf

[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-pop3: password fail ([^)]*) [^@]*@[^:]*:
ignoreregex =



regards
NIshant Amin

On Tue, Aug 2, 2011 at 7:08 AM, James Beam  wrote:
> They mean share your jail config for pop3 to get it working with Qmail - I
> have been curious of that myself…
>
>
>
> I use Fail2Ban on all my linux boxes - just never got it to work with qmail
> pop3 or pop3ssl…
>
>
>
> Imap would be nice too!
>
>
>
>
>
> From: Délsio Cabá [mailto:del...@gmail.com]
> Sent: Monday, August 01, 2011 11:06 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] Denial of Service on POP3
>
>
>
> Hi,
>
> Thanks for the reply. Is there any chance you could share with us the pop3
> filter code for qmail?
>
> Thanks for any help :)
>
> On 1 August 2011 12:50,  wrote:
>
> Fail2ban can be downloaded from YUM
>
> You need to change some settings in the config files to match your
> requirements. Its also has settings for bantime, who to mail when someone
> gets banned (ip adress), it uses iptables to update blocking schemes.
>
> I use fail2ban for pop3, smtp, ftp
>
> B/R Ole
> Using two latest Centos dists with QMT and Fail2Ban enabled.
>
>> Thanks,
>> But what if they are from different IP or I don't even get aware of the
>> attack?
>>
>> I think the best approach would be to use fail2ban. So I need someone that
>> already has a rule
>>
>> Thanks
>>
>> On 29 July 2011 16:16, Sergio Rosa  wrote:
>>
>>> block them at the fw level. or place an iptables rules on your host.
>>> This
>>> will do the job if the source ip is the same all the time.
>>>
>>> ---
>>> Thank you,
>>> Sérgio Rosa
>>>
>>> T. +351 91348 9195
>>> @. sergior...@awd.pt
>>>
>>> AWD - Arq. Web e Design, Unip. Lda
>>> R. Moinho Velho, 19, 2ºDto
>>> 2655-242 Ericeira
>>> http://www.awd.pt
>>>
>>>
>>> On Fri, 29 Jul 2011 16:10:08 +0200, Délsio Cabá wrote:
>>>
>>>> Hi,
>>>>
>>>> I see these logs on pop3:
>>>> @40004e32be9f2581381c tcpserver: ok 19434
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3912
>>>> @40004e32bea00e2281e4 tcpserver: end 19433 status 256
>>>> @40004e32bea00e22f32c tcpserver: status: 3/200
>>>>  @40004e32bea020c630ac tcpserver: end 19434 status 256
>>>> @40004e32bea020c63c64 tcpserver: status: 2/200
>>>> @40004e32bea11ed14264 tcpserver: status: 3/200
>>>> @40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
>>>>  @40004e32bea11edeb7b4 tcpserver: ok 19449
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3970
>>>> @40004e32bea21499cfb4 tcpserver: end 19449 status 256
>>>> @40004e32bea21499df54 tcpserver: status: 2/200
>>>>  @40004e32bea312f84ce4 tcpserver: status: 3/200
>>>> @40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
>>>> @40004e32bea312f86454 tcpserver: ok 19456
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4024
>>>>  @40004e32bea409545fd4 tcpserver: end 19456 status 256
>>>> @40004e32bea409546f74 tcpserver: status: 2/200
>>>> @40004e32bea5084443ac tcpserver: status: 3/200
>>>> @40004e32bea50844534c tcpserver: pid 19462 from 203.200.117.65
>>>>  @40004e32bea508445f04 tcpserver: ok 19462
>>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4092
>>>>
>>>> It seams to be a dos.
>>>> For smtp I use fail2ban.
>>>> Anyone knows how to block these IP using by creating a rule on
>>>> fail2ban?
>>>>
>>>> Regards
>>>>
>>>
>>>
>>> --**--**
>>> -
>>> Qmailtoaster is sponsored by Vickers Consulting Group (
>>> www.vickersconsulting.com)
>>>   Vickers Consulting Group off

RE: [qmailtoaster] Denial of Service on POP3

[James Beam]

They mean share your jail config for pop3 to get it working with Qmail - I have 
been curious of that myself...

I use Fail2Ban on all my linux boxes - just never got it to work with qmail 
pop3 or pop3ssl...

Imap would be nice too!


From: Délsio Cabá [mailto:del...@gmail.com]
Sent: Monday, August 01, 2011 11:06 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Denial of Service on POP3

Hi,

Thanks for the reply. Is there any chance you could share with us the pop3 
filter code for qmail?

Thanks for any help :)
On 1 August 2011 12:50, 
mailto:ole.johan...@cryonix.no>> wrote:
Fail2ban can be downloaded from YUM

You need to change some settings in the config files to match your
requirements. Its also has settings for bantime, who to mail when someone
gets banned (ip adress), it uses iptables to update blocking schemes.

I use fail2ban for pop3, smtp, ftp

B/R Ole
Using two latest Centos dists with QMT and Fail2Ban enabled.


> Thanks,
> But what if they are from different IP or I don't even get aware of the
> attack?
>
> I think the best approach would be to use fail2ban. So I need someone that
> already has a rule
>
> Thanks
>
> On 29 July 2011 16:16, Sergio Rosa 
> mailto:sergior...@awd.pt>> wrote:
>
>> block them at the fw level. or place an iptables rules on your host.
>> This
>> will do the job if the source ip is the same all the time.
>>
>> ---
>> Thank you,
>> Sérgio Rosa
>>
>> T. +351 91348 9195
>> @. sergior...@awd.pt<mailto:sergior...@awd.pt>
>>
>> AWD - Arq. Web e Design, Unip. Lda
>> R. Moinho Velho, 19, 2ºDto
>> 2655-242 Ericeira
>> http://www.awd.pt
>>
>>
>> On Fri, 29 Jul 2011 16:10:08 +0200, Délsio Cabá wrote:
>>
>>> Hi,
>>>
>>> I see these logs on pop3:
>>> @40004e32be9f2581381c tcpserver: ok 19434
>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3912
>>> @40004e32bea00e2281e4 tcpserver: end 19433 status 256
>>> @40004e32bea00e22f32c tcpserver: status: 3/200
>>>  @40004e32bea020c630ac tcpserver: end 19434 status 256
>>> @40004e32bea020c63c64 tcpserver: status: 2/200
>>> @40004e32bea11ed14264 tcpserver: status: 3/200
>>> @40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
>>>  @40004e32bea11edeb7b4 tcpserver: ok 19449
>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3970
>>> @40004e32bea21499cfb4 tcpserver: end 19449 status 256
>>> @40004e32bea21499df54 tcpserver: status: 2/200
>>>  @40004e32bea312f84ce4 tcpserver: status: 3/200
>>> @40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
>>> @40004e32bea312f86454 tcpserver: ok 19456
>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4024
>>>  @40004e32bea409545fd4 tcpserver: end 19456 status 256
>>> @40004e32bea409546f74 tcpserver: status: 2/200
>>> @40004e32bea5084443ac tcpserver: status: 3/200
>>> @40004e32bea50844534c tcpserver: pid 19462 from 203.200.117.65
>>>  @40004e32bea508445f04 tcpserver: ok 19462
>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4092
>>>
>>> It seams to be a dos.
>>> For smtp I use fail2ban.
>>> Anyone knows how to block these IP using by creating a rule on
>>> fail2ban?
>>>
>>> Regards
>>>
>>
>>
>> --**--**
>> -
>> Qmailtoaster is sponsored by Vickers Consulting Group (
>> www.vickersconsulting.com<http://www.vickersconsulting.com>)
>>   Vickers Consulting Group offers Qmailtoaster support and
>> installations.
>> If you need professional help with your setup, contact them today!
>> --**--**
>> -
>>Please visit qmailtoaster.com<http://qmailtoaster.com> for the latest 
>> news, updates, and
>> packages.
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@**
>> qmailtoaster.com<http://qmailtoaster.com> 
>> mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>>
>>For additional commands, e-mail: qmailtoaster-list-help@**
>> qmailtoaster.com<http://qmailtoaster.com> 
>> mailto:qmailtoaster-list-h...@qmailtoaster.com>>
>>
>>
>>
>



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com<http://www.vickersconsulting.com>)
   Vickers Consul

Re: [qmailtoaster] Denial of Service on POP3

[Délsio Cabá]

Hi,

Thanks for the reply. Is there any chance you could share with us the pop3
filter code for qmail?

Thanks for any help :)

On 1 August 2011 12:50,  wrote:

> Fail2ban can be downloaded from YUM
>
> You need to change some settings in the config files to match your
> requirements. Its also has settings for bantime, who to mail when someone
> gets banned (ip adress), it uses iptables to update blocking schemes.
>
> I use fail2ban for pop3, smtp, ftp
>
> B/R Ole
> Using two latest Centos dists with QMT and Fail2Ban enabled.
>
>
> > Thanks,
> > But what if they are from different IP or I don't even get aware of the
> > attack?
> >
> > I think the best approach would be to use fail2ban. So I need someone
> that
> > already has a rule
> >
> > Thanks
> >
> > On 29 July 2011 16:16, Sergio Rosa  wrote:
> >
> >> block them at the fw level. or place an iptables rules on your host.
> >> This
> >> will do the job if the source ip is the same all the time.
> >>
> >> ---
> >> Thank you,
> >> Sérgio Rosa
> >>
> >> T. +351 91348 9195
> >> @. sergior...@awd.pt
> >>
> >> AWD - Arq. Web e Design, Unip. Lda
> >> R. Moinho Velho, 19, 2ºDto
> >> 2655-242 Ericeira
> >> http://www.awd.pt
> >>
> >>
> >> On Fri, 29 Jul 2011 16:10:08 +0200, Délsio Cabá wrote:
> >>
> >>> Hi,
> >>>
> >>> I see these logs on pop3:
> >>> @40004e32be9f2581381c tcpserver: ok 19434
> >>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3912
> >>> @40004e32bea00e2281e4 tcpserver: end 19433 status 256
> >>> @40004e32bea00e22f32c tcpserver: status: 3/200
> >>>  @40004e32bea020c630ac tcpserver: end 19434 status 256
> >>> @40004e32bea020c63c64 tcpserver: status: 2/200
> >>> @40004e32bea11ed14264 tcpserver: status: 3/200
> >>> @40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
> >>>  @40004e32bea11edeb7b4 tcpserver: ok 19449
> >>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3970
> >>> @40004e32bea21499cfb4 tcpserver: end 19449 status 256
> >>> @40004e32bea21499df54 tcpserver: status: 2/200
> >>>  @40004e32bea312f84ce4 tcpserver: status: 3/200
> >>> @40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
> >>> @40004e32bea312f86454 tcpserver: ok 19456
> >>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4024
> >>>  @40004e32bea409545fd4 tcpserver: end 19456 status 256
> >>> @40004e32bea409546f74 tcpserver: status: 2/200
> >>> @40004e32bea5084443ac tcpserver: status: 3/200
> >>> @40004e32bea50844534c tcpserver: pid 19462 from 203.200.117.65
> >>>  @40004e32bea508445f04 tcpserver: ok 19462
> >>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4092
> >>>
> >>> It seams to be a dos.
> >>> For smtp I use fail2ban.
> >>> Anyone knows how to block these IP using by creating a rule on
> >>> fail2ban?
> >>>
> >>> Regards
> >>>
> >>
> >>
> >> --**--**
> >> -
> >> Qmailtoaster is sponsored by Vickers Consulting Group (
> >> www.vickersconsulting.com)
> >>   Vickers Consulting Group offers Qmailtoaster support and
> >> installations.
> >> If you need professional help with your setup, contact them today!
> >> --**--**
> >> -
> >>Please visit qmailtoaster.com for the latest news, updates, and
> >> packages.
> >> To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@**
> >> qmailtoaster.com 
> >>For additional commands, e-mail: qmailtoaster-list-help@**
> >> qmailtoaster.com 
> >>
> >>
> >>
> >
>
>
>
>
> -
> Qmailtoaster is sponsored by Vickers Consulting Group (
> www.vickersconsulting.com)
>Vickers Consulting Group offers Qmailtoaster support and installations.
>  If you need professional help with your setup, contact them today!
>
> -
> Please visit qmailtoaster.com for the latest news, updates, and
> packages.
>
>  To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail:
> qmailtoaster-list-h...@qmailtoaster.com
>
>
>

Re: [qmailtoaster] Denial of Service on POP3

[ole . johansen]

Fail2ban can be downloaded from YUM

You need to change some settings in the config files to match your
requirements. Its also has settings for bantime, who to mail when someone
gets banned (ip adress), it uses iptables to update blocking schemes.

I use fail2ban for pop3, smtp, ftp

B/R Ole
Using two latest Centos dists with QMT and Fail2Ban enabled.


> Thanks,
> But what if they are from different IP or I don't even get aware of the
> attack?
>
> I think the best approach would be to use fail2ban. So I need someone that
> already has a rule
>
> Thanks
>
> On 29 July 2011 16:16, Sergio Rosa  wrote:
>
>> block them at the fw level. or place an iptables rules on your host.
>> This
>> will do the job if the source ip is the same all the time.
>>
>> ---
>> Thank you,
>> Sérgio Rosa
>>
>> T. +351 91348 9195
>> @. sergior...@awd.pt
>>
>> AWD - Arq. Web e Design, Unip. Lda
>> R. Moinho Velho, 19, 2ºDto
>> 2655-242 Ericeira
>> http://www.awd.pt
>>
>>
>> On Fri, 29 Jul 2011 16:10:08 +0200, Délsio Cabá wrote:
>>
>>> Hi,
>>>
>>> I see these logs on pop3:
>>> @40004e32be9f2581381c tcpserver: ok 19434
>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3912
>>> @40004e32bea00e2281e4 tcpserver: end 19433 status 256
>>> @40004e32bea00e22f32c tcpserver: status: 3/200
>>>  @40004e32bea020c630ac tcpserver: end 19434 status 256
>>> @40004e32bea020c63c64 tcpserver: status: 2/200
>>> @40004e32bea11ed14264 tcpserver: status: 3/200
>>> @40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
>>>  @40004e32bea11edeb7b4 tcpserver: ok 19449
>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3970
>>> @40004e32bea21499cfb4 tcpserver: end 19449 status 256
>>> @40004e32bea21499df54 tcpserver: status: 2/200
>>>  @40004e32bea312f84ce4 tcpserver: status: 3/200
>>> @40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
>>> @40004e32bea312f86454 tcpserver: ok 19456
>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4024
>>>  @40004e32bea409545fd4 tcpserver: end 19456 status 256
>>> @40004e32bea409546f74 tcpserver: status: 2/200
>>> @40004e32bea5084443ac tcpserver: status: 3/200
>>> @40004e32bea50844534c tcpserver: pid 19462 from 203.200.117.65
>>>  @40004e32bea508445f04 tcpserver: ok 19462
>>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4092
>>>
>>> It seams to be a dos.
>>> For smtp I use fail2ban.
>>> Anyone knows how to block these IP using by creating a rule on
>>> fail2ban?
>>>
>>> Regards
>>>
>>
>>
>> --**--**
>> -
>> Qmailtoaster is sponsored by Vickers Consulting Group (
>> www.vickersconsulting.com)
>>   Vickers Consulting Group offers Qmailtoaster support and
>> installations.
>> If you need professional help with your setup, contact them today!
>> --**--**
>> -
>>Please visit qmailtoaster.com for the latest news, updates, and
>> packages.
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@**
>> qmailtoaster.com 
>>For additional commands, e-mail: qmailtoaster-list-help@**
>> qmailtoaster.com 
>>
>>
>>
>



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Denial of Service on POP3

[Délsio Cabá]

Thanks,
But what if they are from different IP or I don't even get aware of the
attack?

I think the best approach would be to use fail2ban. So I need someone that
already has a rule

Thanks

On 29 July 2011 16:16, Sergio Rosa  wrote:

> block them at the fw level. or place an iptables rules on your host. This
> will do the job if the source ip is the same all the time.
>
> ---
> Thank you,
> Sérgio Rosa
>
> T. +351 91348 9195
> @. sergior...@awd.pt
>
> AWD - Arq. Web e Design, Unip. Lda
> R. Moinho Velho, 19, 2ºDto
> 2655-242 Ericeira
> http://www.awd.pt
>
>
> On Fri, 29 Jul 2011 16:10:08 +0200, Délsio Cabá wrote:
>
>> Hi,
>>
>> I see these logs on pop3:
>> @40004e32be9f2581381c tcpserver: ok 19434
>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3912
>> @40004e32bea00e2281e4 tcpserver: end 19433 status 256
>> @40004e32bea00e22f32c tcpserver: status: 3/200
>>  @40004e32bea020c630ac tcpserver: end 19434 status 256
>> @40004e32bea020c63c64 tcpserver: status: 2/200
>> @40004e32bea11ed14264 tcpserver: status: 3/200
>> @40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
>>  @40004e32bea11edeb7b4 tcpserver: ok 19449
>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::3970
>> @40004e32bea21499cfb4 tcpserver: end 19449 status 256
>> @40004e32bea21499df54 tcpserver: status: 2/200
>>  @40004e32bea312f84ce4 tcpserver: status: 3/200
>> @40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
>> @40004e32bea312f86454 tcpserver: ok 19456
>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4024
>>  @40004e32bea409545fd4 tcpserver: end 19456 status 256
>> @40004e32bea409546f74 tcpserver: status: 2/200
>> @40004e32bea5084443ac tcpserver: status: 3/200
>> @40004e32bea50844534c tcpserver: pid 19462 from 203.200.117.65
>>  @40004e32bea508445f04 tcpserver: ok 19462
>> ns.mozdesigners.com:196.46.2.**236:110 :203.200.117.65::4092
>>
>> It seams to be a dos.
>> For smtp I use fail2ban.
>> Anyone knows how to block these IP using by creating a rule on
>> fail2ban?
>>
>> Regards
>>
>
>
> --**--**
> -
> Qmailtoaster is sponsored by Vickers Consulting Group (
> www.vickersconsulting.com)
>   Vickers Consulting Group offers Qmailtoaster support and installations.
> If you need professional help with your setup, contact them today!
> --**--**
> -
>Please visit qmailtoaster.com for the latest news, updates, and
> packages.
> To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@**
> qmailtoaster.com 
>For additional commands, e-mail: qmailtoaster-list-help@**
> qmailtoaster.com 
>
>
>

Re: [qmailtoaster] Denial of Service on POP3

[Sergio Rosa]

block them at the fw level. or place an iptables rules on your host. 
This will do the job if the source ip is the same all the time.


---
Thank you,
Sérgio Rosa

T. +351 91348 9195
@. sergior...@awd.pt

AWD - Arq. Web e Design, Unip. Lda
R. Moinho Velho, 19, 2ºDto
2655-242 Ericeira
http://www.awd.pt

On Fri, 29 Jul 2011 16:10:08 +0200, Délsio Cabá wrote:

Hi,

I see these logs on pop3:
@40004e32be9f2581381c tcpserver: ok 19434
ns.mozdesigners.com:196.46.2.236:110 :203.200.117.65::3912
@40004e32bea00e2281e4 tcpserver: end 19433 status 256
@40004e32bea00e22f32c tcpserver: status: 3/200
 @40004e32bea020c630ac tcpserver: end 19434 status 256
@40004e32bea020c63c64 tcpserver: status: 2/200
@40004e32bea11ed14264 tcpserver: status: 3/200
@40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
 @40004e32bea11edeb7b4 tcpserver: ok 19449
ns.mozdesigners.com:196.46.2.236:110 :203.200.117.65::3970
@40004e32bea21499cfb4 tcpserver: end 19449 status 256
@40004e32bea21499df54 tcpserver: status: 2/200
 @40004e32bea312f84ce4 tcpserver: status: 3/200
@40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
@40004e32bea312f86454 tcpserver: ok 19456
ns.mozdesigners.com:196.46.2.236:110 :203.200.117.65::4024
 @40004e32bea409545fd4 tcpserver: end 19456 status 256
@40004e32bea409546f74 tcpserver: status: 2/200
@40004e32bea5084443ac tcpserver: status: 3/200
@40004e32bea50844534c tcpserver: pid 19462 from 203.200.117.65
 @40004e32bea508445f04 tcpserver: ok 19462
ns.mozdesigners.com:196.46.2.236:110 :203.200.117.65::4092

It seams to be a dos.
For smtp I use fail2ban.
Anyone knows how to block these IP using by creating a rule on
fail2ban?

Regards



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Denial of Service on POP3

[Délsio Cabá]

Hi,

I see these logs on pop3:
@40004e32be9f2581381c tcpserver: ok 19434
ns.mozdesigners.com:196.46.2.236:110
:203.200.117.65::3912
@40004e32bea00e2281e4 tcpserver: end 19433 status 256
@40004e32bea00e22f32c tcpserver: status: 3/200
@40004e32bea020c630ac tcpserver: end 19434 status 256
@40004e32bea020c63c64 tcpserver: status: 2/200
@40004e32bea11ed14264 tcpserver: status: 3/200
@40004e32bea11ed15204 tcpserver: pid 19449 from 203.200.117.65
@40004e32bea11edeb7b4 tcpserver: ok 19449
ns.mozdesigners.com:196.46.2.236:110
:203.200.117.65::3970
@40004e32bea21499cfb4 tcpserver: end 19449 status 256
@40004e32bea21499df54 tcpserver: status: 2/200
@40004e32bea312f84ce4 tcpserver: status: 3/200
@40004e32bea312f8589c tcpserver: pid 19456 from 203.200.117.65
@40004e32bea312f86454 tcpserver: ok 19456
ns.mozdesigners.com:196.46.2.236:110
:203.200.117.65::4024
@40004e32bea409545fd4 tcpserver: end 19456 status 256
@40004e32bea409546f74 tcpserver: status: 2/200
@40004e32bea5084443ac tcpserver: status: 3/200
@40004e32bea50844534c tcpserver: pid 19462 from 203.200.117.65
@40004e32bea508445f04 tcpserver: ok 19462
ns.mozdesigners.com:196.46.2.236:110
:203.200.117.65::4092


It seams to be a dos.
For smtp I use fail2ban.
Anyone knows how to block these IP using by creating a rule on fail2ban?

Regards