[vchkpw] [SPAM] block vpopmail brute force
Has anyone experienced people trying to brute force vpopmail? I'm sick of it, so I cron'ed a little script others might enjoy. http://stilen.com/scripts/perl/vpopmail_fail2drop.pl Feedback appreciated. !DSPAM:50483d9e34211728335788!
RE: [vchkpw] [SPAM] block vpopmail brute force
Hello, It seems good ! For such purpose I use this kind of rules iptables -P INPUT DROP ... iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ... iptables -A INPUT -m state --state NEW -p TCP --dport 110 --syn -m limit --limit 3/s --limit-burst 3 -j ACCEPT ... iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT ... iptables -A INPUT -m state --state NEW -j DROP If more than 3 connection/sec on POP3 port, drop the packet (in fact the real rule is drop everything except if less than 3/sec on POP3 port ) -Original Message- From: John Stile [mailto:j...@stilen.com] Sent: jeudi 6 septembre 2012 08:04 To: vchkpw@inter7.com Subject: [vchkpw] [SPAM] block vpopmail brute force Has anyone experienced people trying to brute force vpopmail? I'm sick of it, so I cron'ed a little script others might enjoy. http://stilen.com/scripts/perl/vpopmail_fail2drop.pl Feedback appreciated. !DSPAM:50484d0434211692219258!
Re: [vchkpw] [SPAM] block vpopmail brute force
Hello! I am using fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page). Maybe it is useful for you, too. Best, Harti On 06 Sep 12, Thibault Richard wrote: Hello, It seems good ! For such purpose I use this kind of rules iptables -P INPUT DROP ... iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ... iptables -A INPUT -m state --state NEW -p TCP --dport 110 --syn -m limit --limit 3/s --limit-burst 3 -j ACCEPT ... iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT ... iptables -A INPUT -m state --state NEW -j DROP If more than 3 connection/sec on POP3 port, drop the packet (in fact the real rule is drop everything except if less than 3/sec on POP3 port ) -Original Message- From: John Stile [mailto:j...@stilen.com] Sent: jeudi 6 septembre 2012 08:04 To: vchkpw@inter7.com Subject: [vchkpw] [SPAM] block vpopmail brute force Has anyone experienced people trying to brute force vpopmail? I'm sick of it, so I cron'ed a little script others might enjoy. http://stilen.com/scripts/perl/vpopmail_fail2drop.pl Feedback appreciated. !DSPAM:5048545334212031748905!
Re: [vchkpw] [SPAM] block vpopmail brute force
On Thu, Sep 6, 2012 at 1:44 AM, Hartmut Wernisch | Domaintechnik.at h...@domaintechnik.at wrote: I am using fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page). Maybe it is useful for you, too. That's what I use too - works quite well - using this vpopmail.conf for the filter configuration: #--- # Fail2Ban configuration file # # Author: Chris Stone # # $Revision: 510 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named host. The tag HOST can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?Phost\S+) # Values: TEXT # failregex = vchkpw-pop3: password fail.+:HOST vchkpw-submission: password fail.+:HOST vchkpw-smtp: password fail.+:HOST vchkpw-smtps: password fail.+:HOST vpopmail user not found.+:HOST # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = #--- Chris -- Chris Stone AxisInternet, Inc. www.axint.net !DSPAM:5048cc4334219044220722!