Re: [xmail] XMail under attack - failed pop3 logins
On 12 Feb 2010 at 9:18, Spyros Tsiolis wrote: > > Why do you port-forward pop110 to the outside world anyway ? > Because I'd never thought about it, and it has always been open from before I used xmail. Even smtps, ssh etc aren't as open, ie just from selected ip blocks that are likely to be used. I've only just noticed volume of attacks increased, eg. over past 20 weeks: 0,3,0,0,0,416,0,168,3,0,0,1225,127,0,132,3,3694,557,5049 > If you have clients outside, why not use VPNs for this ? I'll setup a vpn when I swap out the two old firewalls but it's not worth hassle at moment. > AFAIK, port-forwarding pop3 to the outside world is not advisable. No more than running an ftp server. Problem isn't so much the security issues, it's load on server during such attacks. Having a secure connection doesn't prevent the connection attempts although it will possibly reduce the load. Accepting connections and delaying responses seems to be best compromise. > Maybe Secure POP3 ? Yep, I've had smtps in use for many years and no reason not to use pop3s. cheers David ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] XMail under attack - failed pop3 logins
Why do you port-forward pop110 to the outside world anyway ? If you have clients outside, why not use VPNs for this ? AFAIK, port-forwarding pop3 to the outside world is not advisable. Maybe Secure POP3 ? Just my thoughts, s. - "I merely function as a channel that filters music through the chaos of noise" - Vangelis > From: xm...@lordynet.org > To: xmail@xmailserver.org > Date: Wed, 10 Feb 2010 11:55:07 +0000 > Subject: [xmail] XMail under attack - failed pop3 logins > > > I've not seen this before today but XMail fell > over during a pop3 password attack. > > pop3 connections at firewall > Feb 10 05:00-06:00 0 > Feb 10 06:00-07:00 1161 > Feb 10 07:00-08:00 9851 > Feb 10 08:00-09:00 248 > Feb 10 09:00-10:00 0 > > Pop3 log on one server has 4987 entries all > "ELOGIN" but nothing else. Second server on > network has 3 similar entries from Feb 6. > > Can I just add offending source ip range to spammers.tab > or is it best to block at firewall? > > I believe firewall can block on connection rate so > might investigate that. > > David > > ___ > xmail mailing list > xmail@xmailserver.org > http://xmailserver.org/mailman/listinfo/xmail _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] XMail under attack - failed pop3 logins
On Wed, 10 Feb 2010, David Lord wrote: > On 10 Feb 2010 at 8:17, Davide Libenzi wrote: > > > On Wed, 10 Feb 2010, David Lord wrote: > > > > > > > > I've not seen this before today but XMail fell > > > over during a pop3 password attack. > > > > > > pop3 connections at firewall > > > Feb 10 05:00-06:00 0 > > > Feb 10 06:00-07:00 1161 > > > Feb 10 07:00-08:00 9851 > > > Feb 10 08:00-09:00 248 > > > Feb 10 09:00-10:00 0 > > > > > > Pop3 log on one server has 4987 entries all > > > "ELOGIN" but nothing else. Second server on > > > network has 3 similar entries from Feb 6. > > > > > > Can I just add offending source ip range to spammers.tab > > > or is it best to block at firewall? > > > > > > I believe firewall can block on connection rate so > > > might investigate that. > > > > Firewall is better suited for things like that. That $hit does not even > > bother your server, in that way. > > > > A couple of /8 blocks added as I was setting off out > for afternoon when I spotted the problem. > > Are attacks on pop3 something recent, or have I just > been lucky? No, I saw them too recently. I've setup a connection throttling with iptables. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] XMail under attack - failed pop3 logins
On 10 Feb 2010 at 8:17, Davide Libenzi wrote: > On Wed, 10 Feb 2010, David Lord wrote: > > > > > I've not seen this before today but XMail fell > > over during a pop3 password attack. > > > > pop3 connections at firewall > > Feb 10 05:00-06:00 0 > > Feb 10 06:00-07:00 1161 > > Feb 10 07:00-08:00 9851 > > Feb 10 08:00-09:00 248 > > Feb 10 09:00-10:00 0 > > > > Pop3 log on one server has 4987 entries all > > "ELOGIN" but nothing else. Second server on > > network has 3 similar entries from Feb 6. > > > > Can I just add offending source ip range to spammers.tab > > or is it best to block at firewall? > > > > I believe firewall can block on connection rate so > > might investigate that. > > Firewall is better suited for things like that. That $hit does not even > bother your server, in that way. > A couple of /8 blocks added as I was setting off out for afternoon when I spotted the problem. Are attacks on pop3 something recent, or have I just been lucky? Cheers David ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] XMail under attack - failed pop3 logins
On Wed, 10 Feb 2010, David Lord wrote: > > I've not seen this before today but XMail fell > over during a pop3 password attack. > > pop3 connections at firewall > Feb 10 05:00-06:00 0 > Feb 10 06:00-07:00 1161 > Feb 10 07:00-08:00 9851 > Feb 10 08:00-09:00 248 > Feb 10 09:00-10:00 0 > > Pop3 log on one server has 4987 entries all > "ELOGIN" but nothing else. Second server on > network has 3 similar entries from Feb 6. > > Can I just add offending source ip range to spammers.tab > or is it best to block at firewall? > > I believe firewall can block on connection rate so > might investigate that. Firewall is better suited for things like that. That $hit does not even bother your server, in that way. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] XMail under attack - failed pop3 logins
Add ip-adress to firewall better. Dmitriy 10.02.2010 17:55, David Lord пишет: I've not seen this before today but XMail fell over during a pop3 password attack. pop3 connections at firewall Feb 10 05:00-06:00 0 Feb 10 06:00-07:00 1161 Feb 10 07:00-08:00 9851 Feb 10 08:00-09:00 248 Feb 10 09:00-10:00 0 Pop3 log on one server has 4987 entries all "ELOGIN" but nothing else. Second server on network has 3 similar entries from Feb 6. Can I just add offending source ip range to spammers.tab or is it best to block at firewall? I believe firewall can block on connection rate so might investigate that. David ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
[xmail] XMail under attack - failed pop3 logins
I've not seen this before today but XMail fell over during a pop3 password attack. pop3 connections at firewall Feb 10 05:00-06:00 0 Feb 10 06:00-07:00 1161 Feb 10 07:00-08:00 9851 Feb 10 08:00-09:00 248 Feb 10 09:00-10:00 0 Pop3 log on one server has 4987 entries all "ELOGIN" but nothing else. Second server on network has 3 similar entries from Feb 6. Can I just add offending source ip range to spammers.tab or is it best to block at firewall? I believe firewall can block on connection rate so might investigate that. David ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail