One thing you can do it redirect common accounts such as postmaster, webmaster, root, etc to your own account (or one you name uniquely). Then there is no way that a cracker could log in because from their point of view there is no account to log in to!
Example router entry: <postmaster> = myaccount At 2:06 AM +0200 7/11/02, List Gnome wrote: >I'd seen address harvesting before, and SIMS blocks it wonderfully. Today I saw a new >one though: a POP3 attack on guessed accounts, using "easy" passwords. A total of 125 >attempts in 10 seconds. A piece of the log is below, I've left in quite a bit because >it's interesting which accounts and passwords are attempted. Notice that !@#$%^&* are >in a nice row on a keyboard ;-) > >Why try this, though? Is it a roundabout way of finding an open SMTP-relay (through >feature "accept iprn as client for 3 minutes after succesful pop3 session"?). The >culprit <http://samspade.org/t/lookat?a=202.103.160.101> seems to be from China. >Espionage? > >It would be nice if SIMS recognized this type of attack as well, and put the ipnr on >a TempBanned list... > >Does putting an ipnr in the manual SIMS blacklist also stop attempted pop3 sessions? > >[spaces added by me for easy reading; view in wide window] > >07:02:47 1 POP {admin} is not open: password(admin) is wrong. Connection from >[202.103.160.101:4293] >07:02:47 1 POP {admin} is not open: password() is wrong. Connection from >[202.103.160.101:4292] >07:02:47 1 POP {admin} is not open: password(admin) is wrong. Connection from >[202.103.160.101:4291] >07:02:47 1 POP {admin} is not open: password(111) is wrong. Connection from >[202.103.160.101:4296] >07:02:47 1 POP {admin} is not open: password(1) is wrong. Connection from >[202.103.160.101:4295] >07:02:47 1 POP {admin} is not open: password(root) is wrong. Connection from >[202.103.160.101:4294] >07:02:47 1 POP {admin} is not open: password(12345) is wrong. Connection from >[202.103.160.101:4299] >07:02:47 1 POP {admin} is not open: password(1234) is wrong. Connection from >[202.103.160.101:4298] >07:02:47 1 POP {admin} is not open: password(123) is wrong. Connection from >[202.103.160.101:4297] >07:02:47 1 POP {admin} is not open: password(!@#$%) is wrong. Connection from >[202.103.160.101:4305] >07:02:47 1 POP {admin} is not open: password(asdfgh) is wrong. Connection from >[202.103.160.101:4304] >07:02:47 1 POP {admin} is not open: password(asdf) is wrong. Connection from >[202.103.160.101:4303] >07:02:47 1 POP {admin} is not open: password(!@#$) is wrong. Connection from >[202.103.160.101:4302] >07:02:47 1 POP {admin} is not open: password(654321) is wrong. Connection from >[202.103.160.101:4301] >07:02:47 1 POP {admin} is not open: password(123456) is wrong. Connection from >[202.103.160.101:4300] >07:02:47 1 POP {admin} is not open: password(passwd) is wrong. Connection from >[202.103.160.101:4310] >07:02:47 1 POP {admin} is not open: password(server) is wrong. Connection from >[202.103.160.101:4309] >07:02:47 1 POP {admin} is not open: password(!@#$%^&*) is wrong. Connection from >[202.103.160.101:4308] >07:02:47 1 POP {admin} is not open: password(!@#$%^&) is wrong. Connection from >[202.103.160.101:4307] >07:02:47 1 POP {admin} is not open: password(!@#$%^) is wrong. Connection from >[202.103.160.101:4306] >07:02:47 1 POP {root} is not open: password() is wrong. Connection from >[202.103.160.101:4315] >07:02:47 1 POP {root} is not open: password(root) is wrong. Connection from >[202.103.160.101:4314] >07:02:47 1 POP {admin} is not open: password(admin!@#$) is wrong. Connection from >[202.103.160.101:4313] >07:02:47 1 POP {admin} is not open: password(admin123) is wrong. Connection from >[202.103.160.101:4312] >07:02:49 1 POP {webmaster} is not open: password(!@#$%^&) is wrong. Connection from >[202.103.160.101:4353] >07:02:49 1 POP {webmaster} is not open: password(webmaster123) is wrong. Connection >from [202.103.160.101:4359] >07:02:49 1 POP {data} is not open: password(!@#$) is wrong. Connection from >[202.103.160.101:4372] >07:02:49 1 POP {data} is not open: password(654321) is wrong. Connection from >[202.103.160.101:4371] >07:02:50 1 POP {user} is not open: password(passwd) is wrong. Connection from >[202.103.160.101:4403] >07:02:51 1 POP {web} is not open: password(123) is wrong. Connection from >[202.103.160.101:4413] >07:02:51 1 POP {web} is not open: password(asdfgh) is wrong. Connection from >[202.103.160.101:4420] >07:02:51 1 POP {oracle} is not open: password(oracle) is wrong. Connection from >[202.103.160.101:4430] >07:02:51 1 POP {oracle} is not open: password(admin) is wrong. Connection from >[202.103.160.101:4432] >07:02:53 1 POP {sybase} is not open: password(654321) is wrong. Connection from >[202.103.160.101:4463] >07:02:53 1 POP {sybase} is not open: password(!@#$) is wrong. Connection from >[202.103.160.101:4464] >07:02:53 1 POP {test} is not open: password(root) is wrong. Connection from >[202.103.160.101:4479] >07:02:53 1 POP {test} is not open: password(admin) is wrong. Connection from >[202.103.160.101:4478] >07:02:54 1 POP {master} is not open: password(server) is wrong. Connection from >[202.103.160.101:4517] >07:02:54 1 POP {master} is not open: password(password) is wrong. Connection from >[202.103.160.101:4519] >07:02:55 1 POP {backup} is not open: password() is wrong. Connection from >[202.103.160.101:4523] >07:02:55 1 POP {backup} is not open: password(backup) is wrong. Connection from >[202.103.160.101:4522] >07:02:55 1 POP {master} is not open: password(asdf) is wrong. Connection from >[202.103.160.101:4511] >07:02:56 1 POP {server} is not open: password(!@#$) is wrong. Connection from >[202.103.160.101:4556] >07:02:56 1 POP {server} is not open: password(password) is wrong. Connection from >[202.103.160.101:4565] >07:02:56 1 POP {master} is not open: password(master) is wrong. Connection from >[202.103.160.101:4499] >07:02:57 1 POP {test} is not open: password(12345) is wrong. Connection from >[202.103.160.101:4484] >07:02:57 1 POP {test} is not open: password(123) is wrong. Connection from >[202.103.160.101:4482] > >-- > >,-----/----. >| O | O | Jan Jaap Spreij >| / | P www.demon.cx/pgp/pubkey.html >| (__ | E [EMAIL PROTECTED] >| \___|__/ | T +31-655305436 >'-----\----' > >############################################################# >This message is sent to you because you are subscribed to > the mailing list <[EMAIL PROTECTED]>. >To unsubscribe, E-mail to: <[EMAIL PROTECTED]> >To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> >To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >Send administrative queries to <[EMAIL PROTECTED]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
