+1 on this method but it looks as if the bot has nodes so those ips
need to be blocked also
you can do a range of ips by doing a CDIR notation IE 11.22.33.44/16
= 11.22.00.00 - 11.22.254.254
Be careful with this because you could inadvertently drop legit
mail.
M
Hi Sergio.
Yep You're right I think that was the one I was thinking on.
I too, think the second one looks very promising - I'll have a closer
look at eh script later on.
Also as You write it's possible to save iptables before reloading
fail2ban - good point - REMEMBER that fail2ban as def
Finn Buhelt (kirstineslund) escribió:
Hi Sergio.
1.There is a *.conf file somewhere on the net that checks
fail2ban's own logfile and to a certain extend prevent this from
happening.(sorry cann't remember where but will do some investigation
and let You kow if I'm successfull)
Finn,
I
Finn Buhelt (kirstineslund) escribió:
Hi again Sergio.
FYI
fail2ban unbans the IP after X minutes (X is set i the jail.conf
either globally or per 'filter.conf')
/Finn
Hi, I am banning them for 1 week, but I wanted to know how to unban
someone right away if a customer complaints.
Thanks!
Hi again Sergio.
FYI
fail2ban unbans the IP after X minutes (X is set i the jail.conf either
globally or per 'filter.conf')
/Finn
On 02-03-2011 13:42, Sergio M wrote:
Finn Buhelt (kirstineslund) escribió:
Hi Sergio.
If I am reading Your logfile correct You should try to replace
*vchkpw-
Hi Sergio.
1.There is a *.conf file somewhere on the net that checks fail2ban's
own logfile and to a certain extend prevent this from happening.(sorry
cann't remember where but will do some investigation and let You kow if
I'm successfull)
2. iptables -D name-of-the-banned -s -j DROP
Finn Buhelt (kirstineslund) escribió:
Hi Sergio.
If I am reading Your logfile correct You should try to replace
*vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password
fail *and leave everything else.
Change this in the filter.d directory and remember to reload fail2ban
( "fai
Hi Sergio.
Try to remove the @ sign and give it a go !
Regards
Finn
On 02-03-2011 13:27, Sergio M wrote:
Finn Buhelt (kirstineslund) escribió:
Hi Sergio.
If I am reading Your logfile correct You should try to replace
*vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password
fa
Finn Buhelt (kirstineslund) escribió:
Hi Sergio.
If I am reading Your logfile correct You should try to replace
*vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password
fail *and leave everything else.
Change this in the filter.d directory and remember to reload fail2ban
( "fai
Finn Buhelt (kirstineslund) escribió:
Hi Sergio.
If I am reading Your logfile correct You should try to replace
*vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password
fail *and leave everything else.
Change this in the filter.d directory and remember to reload fail2ban
( "fai
Hi Sergio.
If I am reading Your logfile correct You should try to replace
*vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password
fail *and leave everything else.
Change this in the filter.d directory and remember to reload fail2ban (
"fail2ban-client reload" on the CLI)
Rega
Fail2Ban does not work with qmail out of the box.
The scripting for the qmail log files needs to be
written specifically for fail2ban.
Has anyone managed to do this yet?
If so what price your script please?
On 02/03/2011 2:09 PM, Sergio M wrote:
South Computers escribió:
Sounds like they may
I found this to use fail2ban to block vpopmail failed passwd attempts,
but cannot make it work.
Its in spanish, but the code is in english anyway.
http://systemadmin.es/2011/01/anadir-nuevas-reglas-de-filtrado-a-fail2ban
any ideas, specially about the regex?
Thanks!
-Sergio
---
Hi,
FWIIW I have some scripts that you can download
from my ftp server in the pub/qtp folder. They are
not all documented but they are reasonably simple
scripts that can be understood easily.
goto
ftp.ycs.com.au
cd /pub/qtp
qtp user are welcome to them but please use
anonymous and your email a
It does yes!
On 02/03/2011 12:58 PM, Cecil Yother, Jr. wrote:
Tony,
Does this append the existing iptable with the offending IP?
I use fail2ban and it works great. OSSEC HIDS is a good tool too. I
use them both actually.
CJ
On 03/01/2011 05:14 PM, Tony White wrote:
Try this at the comman
South Computers escribió:
Sounds like they may have gotten hit with a virus or pissed someone
off. I would block the domain from relaying & inform the customer,
possibly make them change their email account passwords if it's not a
large organization. Ask them to relay through their provider if
ff and are a specific target...
Michael J. Colvin
NorCal Internet Services
www.norcalisp.com
> -Original Message-
> From: South Computers [mailto:i...@southcomputers.com]
> Sent: Tuesday, March 01, 2011 7:07 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [
Sounds like they may have gotten hit with a virus or pissed someone off.
I would block the domain from relaying & inform the customer, possibly
make them change their email account passwords if it's not a large
organization. Ask them to relay through their provider if possible for
the time bein
; From: Sergio M [mailto:sergio...@gmail.com]
> Sent: Tuesday, March 01, 2011 6:45 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] SMTP attack
>
> Michael Colvin escribió:
> > Are all of the username portions of the e-mail addresses legitimate e-
&g
Michael Colvin escribió:
Are all of the username portions of the e-mail addresses legitimate e-mails?
IE, it looks like you cleansed the domain portion, but, in the log, are the
all, or most, of the e-mails legitimate?
I've seen this with random attempts at guessing e-mails and passwords, but
no
Are all of the username portions of the e-mail addresses legitimate e-mails?
IE, it looks like you cleansed the domain portion, but, in the log, are the
all, or most, of the e-mails legitimate?
I've seen this with random attempts at guessing e-mails and passwords, but
not with all legit e-mails.
Tony,
Does this append the existing iptable with the offending IP?
I use fail2ban and it works great. OSSEC HIDS is a good tool too. I
use them both actually.
CJ
On 03/01/2011 05:14 PM, Tony White wrote:
> Try this at the command line and as root!
>
> iptables -I INPUT -s 11.22.33.44 -j DROP
Greylisting process not work in this problem ?
2011/3/1, Eric Shubert :
> Sergio,
>
> .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions
> had a bug where rejected sessions would not terminate immediately,
> causing excessive idle smtp sessions (and ultimately TIMEOUTs). That m
Try this at the command line and as root!
iptables -I INPUT -s 11.22.33.44 -j DROP
This will stop him dead in his tracks.
You can use this command for any ip address that gives
you a problem.
On 02/03/2011 11:25 AM, Sergio M wrote:
Hi there list,
i have been under heavy traffic since sunday,
Ban the bad guy IP at the firewall level.
Best wishes,
Edwin
On 03/02/2011 08:25 AM, Sergio M wrote:
Hi there list,
i have been under heavy traffic since sunday, and its been using all
my inbound connections.
I have a QMT updated box, running the latest spamdyke:
# qtp-whatami
/qtp-whatami v0
On 08/14/2010 02:56 PM, Aleksander Podsiadły wrote:
Last time I notified intensive dictionary attack on mail servers from
many IP's. For example:
Aug 14 10:19:21 srv vpopmail[4345]: vchkpw-smtp: vpopmail user not found
admin@:68.115.208.106
Aug 14 12:19:49 srv vpopmail[26126]: vchkpw-smtp: vpopm
26 matches
Mail list logo