> given attack that caused the blocking. These may be too much to > include in stats, but, as one who has seen this kind of attack cause > serious problems to my server, I'd certainly be interested to know > what these guys are doing and how often.
grep your logs to find "info: authentication" messages, extract the IPs and then grep again the logs seeking for any further activity from such IPs; in the case of bruteforcers there will be no "activity" (i.e. no mail being sent) - I know isn't a short process, but at the moment it's the only way to find those suckers I currently have another problem with that; I've a mailserver which, on failed logons, returns an SMTP 500 code instead of the 535 one so at the moment, the mechanism isn't working for me I just hope Thomas will find a workaround for this (a regexp to match "failed logon" responses would be just fine) Anyways... yes, I think that stopping "harvest" attacks is a good thing; looking at my logs, it seems that there are a bunch of bots out there trying to bruteforce credentials (and not just for SMTP, POP3 and FTP are targeted as well) so, slowing them down or even blackholing them (if they go over a given "limit") will help keeping accounts safe ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
