Re: [xmail] XMail under attack - failed pop3 logins

2010-02-12 Thread David Lord
On 12 Feb 2010 at 9:18, Spyros Tsiolis wrote:

> 
> Why do you port-forward pop110 to the outside world anyway ?
> 

Because I'd never thought about it, and it has always 
been open from before I used xmail. Even smtps, ssh
etc aren't as open, ie just from selected ip blocks 
that are likely to be used.

I've only just noticed volume of attacks increased,
eg. over past 20 weeks:
0,3,0,0,0,416,0,168,3,0,0,1225,127,0,132,3,3694,557,5049

> If you have clients outside, why not use VPNs for this ?

I'll setup a vpn when I swap out the two old firewalls
but it's not worth hassle at moment.

> AFAIK, port-forwarding pop3 to the outside world is not advisable.
No more than running an ftp server.

Problem isn't so much the security issues, it's load on
server during such attacks. Having a secure connection 
doesn't prevent the connection attempts although it 
will possibly reduce the load. Accepting connections
and delaying responses seems to be best compromise.

> Maybe Secure POP3 ?

Yep, I've had smtps in use for many years and no reason
not to use pop3s. 

cheers

David

___
xmail mailing list
xmail@xmailserver.org
http://xmailserver.org/mailman/listinfo/xmail


Re: [xmail] XMail under attack - failed pop3 logins

2010-02-12 Thread Spyros Tsiolis

Why do you port-forward pop110 to the outside world anyway ?

If you have clients outside, why not use VPNs for this ?

AFAIK, port-forwarding pop3 to the outside world is not advisable.

Maybe Secure POP3 ?

Just my thoughts,

s.


-
"I merely function as a channel that filters music through
the chaos of noise"
- Vangelis



> From: xm...@lordynet.org
> To: xmail@xmailserver.org
> Date: Wed, 10 Feb 2010 11:55:07 +0000
> Subject: [xmail] XMail under attack - failed pop3 logins
> 
> 
> I've not seen this before today but XMail fell
> over during a pop3 password attack.
> 
>  pop3 connections at firewall
> Feb 10 05:00-06:00 0
> Feb 10 06:00-07:00  1161 
> Feb 10 07:00-08:00  9851
> Feb 10 08:00-09:00   248 
> Feb 10 09:00-10:00 0
> 
> Pop3 log on one server has 4987 entries all 
> "ELOGIN" but nothing else.  Second server on
> network has 3 similar entries from Feb 6.
> 
> Can I just add offending source ip range to spammers.tab
> or is it best to block at firewall?
> 
> I believe firewall can block on connection rate so
> might investigate that.
> 
> David
> 
> ___
> xmail mailing list
> xmail@xmailserver.org
> http://xmailserver.org/mailman/listinfo/xmail
  
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969___
xmail mailing list
xmail@xmailserver.org
http://xmailserver.org/mailman/listinfo/xmail


Re: [xmail] XMail under attack - failed pop3 logins

2010-02-10 Thread Davide Libenzi
On Wed, 10 Feb 2010, David Lord wrote:

> On 10 Feb 2010 at 8:17, Davide Libenzi wrote:
> 
> > On Wed, 10 Feb 2010, David Lord wrote:
> > 
> > > 
> > > I've not seen this before today but XMail fell
> > > over during a pop3 password attack.
> > > 
> > >  pop3 connections at firewall
> > > Feb 10 05:00-06:00 0
> > > Feb 10 06:00-07:00  1161 
> > > Feb 10 07:00-08:00  9851
> > > Feb 10 08:00-09:00   248 
> > > Feb 10 09:00-10:00 0
> > > 
> > > Pop3 log on one server has 4987 entries all 
> > > "ELOGIN" but nothing else.  Second server on
> > > network has 3 similar entries from Feb 6.
> > > 
> > > Can I just add offending source ip range to spammers.tab
> > > or is it best to block at firewall?
> > > 
> > > I believe firewall can block on connection rate so
> > > might investigate that.
> > 
> > Firewall is better suited for things like that. That $hit does not even 
> > bother your server, in that way.
> > 
> 
> A couple of /8 blocks added as I was setting off out
> for afternoon when I spotted the problem.
> 
> Are attacks on pop3 something recent, or have I just
> been lucky?

No, I saw them too recently. I've setup a connection throttling with 
iptables.


- Davide


___
xmail mailing list
xmail@xmailserver.org
http://xmailserver.org/mailman/listinfo/xmail


Re: [xmail] XMail under attack - failed pop3 logins

2010-02-10 Thread David Lord
On 10 Feb 2010 at 8:17, Davide Libenzi wrote:

> On Wed, 10 Feb 2010, David Lord wrote:
> 
> > 
> > I've not seen this before today but XMail fell
> > over during a pop3 password attack.
> > 
> >  pop3 connections at firewall
> > Feb 10 05:00-06:00 0
> > Feb 10 06:00-07:00  1161 
> > Feb 10 07:00-08:00  9851
> > Feb 10 08:00-09:00   248 
> > Feb 10 09:00-10:00 0
> > 
> > Pop3 log on one server has 4987 entries all 
> > "ELOGIN" but nothing else.  Second server on
> > network has 3 similar entries from Feb 6.
> > 
> > Can I just add offending source ip range to spammers.tab
> > or is it best to block at firewall?
> > 
> > I believe firewall can block on connection rate so
> > might investigate that.
> 
> Firewall is better suited for things like that. That $hit does not even 
> bother your server, in that way.
> 

A couple of /8 blocks added as I was setting off out
for afternoon when I spotted the problem.

Are attacks on pop3 something recent, or have I just
been lucky?

Cheers

David


___
xmail mailing list
xmail@xmailserver.org
http://xmailserver.org/mailman/listinfo/xmail


Re: [xmail] XMail under attack - failed pop3 logins

2010-02-10 Thread Davide Libenzi
On Wed, 10 Feb 2010, David Lord wrote:

> 
> I've not seen this before today but XMail fell
> over during a pop3 password attack.
> 
>  pop3 connections at firewall
> Feb 10 05:00-06:00 0
> Feb 10 06:00-07:00  1161 
> Feb 10 07:00-08:00  9851
> Feb 10 08:00-09:00   248 
> Feb 10 09:00-10:00 0
> 
> Pop3 log on one server has 4987 entries all 
> "ELOGIN" but nothing else.  Second server on
> network has 3 similar entries from Feb 6.
> 
> Can I just add offending source ip range to spammers.tab
> or is it best to block at firewall?
> 
> I believe firewall can block on connection rate so
> might investigate that.

Firewall is better suited for things like that. That $hit does not even 
bother your server, in that way.


- Davide


___
xmail mailing list
xmail@xmailserver.org
http://xmailserver.org/mailman/listinfo/xmail


Re: [xmail] XMail under attack - failed pop3 logins

2010-02-10 Thread Vitoshnov Dmitriy

Add ip-adress to firewall better.

Dmitriy

10.02.2010 17:55, David Lord пишет:

I've not seen this before today but XMail fell
over during a pop3 password attack.

  pop3 connections at firewall
Feb 10 05:00-06:00 0
Feb 10 06:00-07:00  1161
Feb 10 07:00-08:00  9851
Feb 10 08:00-09:00   248
Feb 10 09:00-10:00 0

Pop3 log on one server has 4987 entries all
"ELOGIN" but nothing else.  Second server on
network has 3 similar entries from Feb 6.

Can I just add offending source ip range to spammers.tab
or is it best to block at firewall?

I believe firewall can block on connection rate so
might investigate that.

David

___
xmail mailing list
xmail@xmailserver.org
http://xmailserver.org/mailman/listinfo/xmail
   


___
xmail mailing list
xmail@xmailserver.org
http://xmailserver.org/mailman/listinfo/xmail


[xmail] XMail under attack - failed pop3 logins

2010-02-10 Thread David Lord

I've not seen this before today but XMail fell
over during a pop3 password attack.

 pop3 connections at firewall
Feb 10 05:00-06:00 0
Feb 10 06:00-07:00  1161 
Feb 10 07:00-08:00  9851
Feb 10 08:00-09:00   248 
Feb 10 09:00-10:00 0

Pop3 log on one server has 4987 entries all 
"ELOGIN" but nothing else.  Second server on
network has 3 similar entries from Feb 6.

Can I just add offending source ip range to spammers.tab
or is it best to block at firewall?

I believe firewall can block on connection rate so
might investigate that.

David

___
xmail mailing list
xmail@xmailserver.org
http://xmailserver.org/mailman/listinfo/xmail