Hello, I wrote some message about 1 month ago with the subject "Blacklist" (at beginning of june). At this time I was not able to reproduce the problem, because I didn't have this kind of attack until now.
As I wrote before, I have some IPs in the blacklist table and I have added the blacklist option to the interface. But never the less the blacklisted IP has the ability to connect to my IMAP server: Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=bebe rhost=213.123.136.225 Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=becky rhost=213.123.136.225 The dump is attached. Thanks a lot for any hints Regards Alexander Maringer Am 31.05.2010 02:27, schrieb Alexander Maringer: > Hello, > > I have some strange behaviour with shorewall 4.4.8.1-1 on a debina squeeze. > >>From time to time I have a brute force hacker trying to get access to > the pop3 accounts with generic names and passwords. I wanted to add them > to a static blacklist, so I added the blacklist option to the interfaces > file and added the ip to the blacklist file. But nevertheless the hacker > can continue the brute force. > > The "iptables -L -n" commands shows the new entry: > # iptables -L -n | grep 60.251.16.91 > DROP all -- 60.251.16.91 > > The interfaces file contains: > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect > dhcp,tcpflags,logmartians,nosmurfs,blacklist > > The blacklist file contains: > #ADDRESS/SUBNET PROTOCOL PORT > 60.251.16.91 - - > > The rules file contain > #ACTION SOURCE DEST PROTO DEST > SOURCE ORIGINAL RATE USER/ MARK > ACCEPT net $FW tcp pop3 > > Extract from the shorewall.conf: > BLACKLIST_DISPOSITION=DROP > > > The blacklist documentation describes, that the packets should be > dropped at the interface from the ips mentioned in the blacklist. If I > add the ip at the rules file with the action "DROP", then I dont't get > any attacks. > > Could anybody give me a hint, why the blacklist entry is ignored? Thanks > a lot > > Alexander Maringer ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
