I use those same settings. But in addition, you can configure BlackICE to auto-block
the "too many smtp errors" event (dictionary attack) by editing your issuelist.csv
file.
Look for this line:
2001015,SMTP too many errors,0,agg,-1,7,,Spam,The SMTP....
And change the "agg" to "IP|RST":
2001015,SMTP too many errors,0,IP|RST,-1,7,,Spam,The SMTP....
This will tell BlackICE to auto-block the offending IP Address for 24 hours. Don't
expect the people at ISS to support this though. They urged me not to edit that file
when I asked. But it does work.
Bill
-----Original Message-----
From: Roger Heath
Sent: Thu, 23 Jan 2003 16:50:21 -0600
Subject: Re[2]: [Declude.JunkMail] OT: Dictionary Attacks
Reply to: Don Schreiner
Re: [Declude.JunkMail] OT: Dictionary Attacks on Thursday 11:51:25 AM
>From an earlier msg:
Our servers are very stable with this firewall. It does not
autoblock these but you can manually block them. I noticed that
they do not show up in the log any more, so it appears to work
fine. I know you can set to autoblock select events by editing
the blackice.ini can be edited for example:
http.urllimit.count=60
http.urllimit.interval=50
will temporarily block too many URL requests, like web site
copying... These are the settings to block dictionary attacks. It
detects too many errors brought on by many failed logins...
[Settings]
smtp.error.count=10 ;total errors within
smtp.error.interval=120 ;this amount of time(sec)then blocked
--
Roger Heath
[EMAIL PROTECTED]
www.rleeheath.com
----- Copy of Original Message(s): -----
D> Bill,
D> Also running BI as of few weeks ago and tinkering with firewal.ini.
D> Would you mind sharing the .ini changes you made. You can e-mail me off
D> list. Thanks.
D> Sincerely,
D> Don Schreiner
D> CompBiz, Inc.
D> www.compbiz.net
D> 407-322-8654
D> 800-408-3688
D> -----Original Message-----
D> From: [EMAIL PROTECTED]
D> [mailto:[EMAIL PROTECTED]] On Behalf Of Bill B.
D> Sent: Thursday, January 23, 2003 12:16 PM
D> To: [EMAIL PROTECTED]
D> Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks
D> We started running BlackICE last month and it has been working nice for
D> us. It requires a few config changes to get it to auto-block IPs that
D> send you dictionary attacks, but it is definitely a good solution.
D> Bill
D> -----Original Message-----
D> From: "R. Scott Perry"
D> Sent: Thu, 23 Jan 2003 10:58:09 -0500
D> Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks
>>It seems this morning that we have several dictionary attacks happening
>>on one of Imail servers. Is there an easy to stop the person doing
>>this? I have looked through the log files and cannot easily spot the
>>person(s) doing this.
>>
>>Is there software that will prevent people from performing Dictionary
>>Attacks in the future?
>>
>>The POP3 and Delcude processes are using like 50-09% of the CPU.
>>
>>Let me know if there is anything I can do...
D> Are you sure that it is a dictionary attack? If the POP3 process has
D> higher usage than normal, then E-mails are being sent to your users
D> (which
D> would mean that it either isn't a dictionary attack, or a hybrid attack
D> where they send spam as part of the dictionary attack).
D> You might want to check the archives of the IMail Forum for ideas on how
D> to
D> stop a dictionary attack. Some tricks are using a "nobody" alias (which
D> I
D> believe you are), or using a product like BlackIce Server to stop it.
D> Unfortunately, Declude can't stop these, because it doesn't have access
D> to
D> the TCP/IP connection (which is where it would need to be stopped).
D> -Scott
D> ---
D> [This E-mail was scanned for viruses by Declude Virus
D> (http://www.declude.com)]
D> ---
D> This E-mail came from the Declude.JunkMail mailing list. To
D> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
D> "unsubscribe Declude.JunkMail". The archives can be found at
D> http://www.mail-archive.com.
D> ---
D> [This E-mail was scanned for viruses by Declude Virus
D> (http://www.declude.com)]
D> ---
D> This E-mail came from the Declude.JunkMail mailing list. To
D> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
D> "unsubscribe Declude.JunkMail". The archives can be found at
D> http://www.mail-archive.com.
D> ----------
D> Scanned by CompBiz for Viruses http://www.CompBiz.Net.
D> Save 15 Percent on Virus Software by visiting
D> http://www.compbiz.net/software_mcafee.cfm for details!
D> ---
D> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
D> ---
D> This E-mail came from the Declude.JunkMail mailing list. To
D> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
D> type "unsubscribe Declude.JunkMail". The archives can be found
D> at http://www.mail-archive.com.
D> --
D> ActivatorMail(tm) ver.122102 Scanned for all viruses by
D> www.activatormail.com intelligent anti-virus anti-spam service
--
ActivatorMail(tm) ver.122102 Scanned for all viruses by
www.activatormail.com intelligent anti-virus anti-spam service
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
