RE: [vchkpw] [SPAM] block vpopmail brute force
Hello, It seems good ! For such purpose I use this kind of rules iptables -P INPUT DROP ... iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ... iptables -A INPUT -m state --state NEW -p TCP --dport 110 --syn -m limit --limit 3/s --limit-burst 3 -j ACCEPT ... iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT ... iptables -A INPUT -m state --state NEW -j DROP If more than 3 connection/sec on POP3 port, drop the packet (in fact the real rule is drop everything except if less than 3/sec on POP3 port ) -Original Message- From: John Stile [mailto:j...@stilen.com] Sent: jeudi 6 septembre 2012 08:04 To: vchkpw@inter7.com Subject: [vchkpw] [SPAM] block vpopmail brute force Has anyone experienced people trying to brute force vpopmail? I'm sick of it, so I cron'ed a little script others might enjoy. http://stilen.com/scripts/perl/vpopmail_fail2drop.pl Feedback appreciated. !DSPAM:50484d0434211692219258!
Re: [vchkpw] [SPAM] block vpopmail brute force
Hello! I am using fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page). Maybe it is useful for you, too. Best, Harti On 06 Sep 12, Thibault Richard wrote: Hello, It seems good ! For such purpose I use this kind of rules iptables -P INPUT DROP ... iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ... iptables -A INPUT -m state --state NEW -p TCP --dport 110 --syn -m limit --limit 3/s --limit-burst 3 -j ACCEPT ... iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT ... iptables -A INPUT -m state --state NEW -j DROP If more than 3 connection/sec on POP3 port, drop the packet (in fact the real rule is drop everything except if less than 3/sec on POP3 port ) -Original Message- From: John Stile [mailto:j...@stilen.com] Sent: jeudi 6 septembre 2012 08:04 To: vchkpw@inter7.com Subject: [vchkpw] [SPAM] block vpopmail brute force Has anyone experienced people trying to brute force vpopmail? I'm sick of it, so I cron'ed a little script others might enjoy. http://stilen.com/scripts/perl/vpopmail_fail2drop.pl Feedback appreciated. !DSPAM:5048545334212031748905!
Re: [vchkpw] [SPAM] block vpopmail brute force
On Thu, Sep 6, 2012 at 1:44 AM, Hartmut Wernisch | Domaintechnik.at
h...@domaintechnik.at wrote:
I am using fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page).
Maybe it is useful for you, too.
That's what I use too - works quite well - using this vpopmail.conf for the
filter configuration:
#---
# Fail2Ban configuration file
#
# Author: Chris Stone
#
# $Revision: 510 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named host. The tag HOST
can
# be used for standard IP/hostname matching and is only an alias
for
# (?:::f{4,6}:)?(?Phost\S+)
# Values: TEXT
#
failregex = vchkpw-pop3: password fail.+:HOST
vchkpw-submission: password fail.+:HOST
vchkpw-smtp: password fail.+:HOST
vchkpw-smtps: password fail.+:HOST
vpopmail user not found.+:HOST
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#---
Chris
--
Chris Stone
AxisInternet, Inc.
www.axint.net
!DSPAM:5048cc4334219044220722!
