On Tue, 24 May 2022, Hippo Man wrote:
I have already been doing the following for the past year or so: as soon as
I detect (via my own, homegrown fail2ban-like log monitoring utility) what
I deem to be attempts to log in via imap or pop3 with a dictionary password
attack, I immediately do a DROP via iptables. Yes, this will block all
future connection attemps from the same host, but unfortunately, it doesn't
stop the following scenario, which regularly occurs on my server ...
* Hacker connects via imap or pop3 to my server.
* Hacker makes numerous login attempts one after the other with various
passwords, and without disconnecting in between attempts. I've seen 10 and
more of these repeated attempts rapidly during a single imap or pop3
connection.
Simply using iptables to DROP or REJECT the connection does not prevent
those repeated login attempts during the original imap or pop3 session.
Again, this only prevents *future* connections via that host.
It should block all subsequent packets received from that IP address,
immediately. An in-process connection would appear (to the client) to
hang.
Either there is an ACCEPT rule for related traffic somewhere in the chain
before your new DROP rule, which is matching first and allowing the
existing connection's packets through, or your DROP rule is malformed and
not actually matching the traffic.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
724 days since the first private commercial manned orbital mission (SpaceX)
