Yes, I know, I forgot the attachment ... :-(
Regards Alexander Maringer Maringer IT Services Alexander Maringer Ranklhofweg 6 94034 Passau Tel.: +49-851-9669695 Fax: +49-851-9662317 http://www.maringer-it.de Am 18.07.2010 22:29, schrieb Alexander Maringer: > Hello, > > I wrote some message about 1 month ago with the subject "Blacklist" (at > beginning of june). At this time I was not able to reproduce the > problem, because I didn't have this kind of attack until now. > > As I wrote before, I have some IPs in the blacklist table and I have > added the blacklist option to the interface. But never the less the > blacklisted IP has the ability to connect to my IMAP server: > Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=bebe > rhost=213.123.136.225 > Jul 18 21:51:28 **** dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=becky > rhost=213.123.136.225 > > The dump is attached. > > Thanks a lot for any hints > > > Regards > > Alexander Maringer > > > Am 31.05.2010 02:27, schrieb Alexander Maringer: >> Hello, >> >> I have some strange behaviour with shorewall 4.4.8.1-1 on a debina squeeze. >> >> >From time to time I have a brute force hacker trying to get access to >> the pop3 accounts with generic names and passwords. I wanted to add them >> to a static blacklist, so I added the blacklist option to the interfaces >> file and added the ip to the blacklist file. But nevertheless the hacker >> can continue the brute force. >> >> The "iptables -L -n" commands shows the new entry: >> # iptables -L -n | grep 60.251.16.91 >> DROP all -- 60.251.16.91 >> >> The interfaces file contains: >> #ZONE INTERFACE BROADCAST OPTIONS >> net eth0 detect >> dhcp,tcpflags,logmartians,nosmurfs,blacklist >> >> The blacklist file contains: >> #ADDRESS/SUBNET PROTOCOL PORT >> 60.251.16.91 - - >> >> The rules file contain >> #ACTION SOURCE DEST PROTO DEST >> SOURCE ORIGINAL RATE USER/ MARK >> ACCEPT net $FW tcp pop3 >> >> Extract from the shorewall.conf: >> BLACKLIST_DISPOSITION=DROP >> >> >> The blacklist documentation describes, that the packets should be >> dropped at the interface from the ips mentioned in the blacklist. If I >> add the ip at the rules file with the action "DROP", then I dont't get >> any attacks. >> >> Could anybody give me a hint, why the blacklist entry is ignored? Thanks >> a lot >> >> Alexander Maringer > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
status.txt.gz
Description: application/gzip
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
