I do use OSSEC. Do you have a particular page that discusses this and how to set it up for blocking? or at least where I can read up on it?
CJ Constantin IOAJA wrote: > Maxwell Smart wrote: >> Greetings fellow Qmailers, >> >> I am trying to find a way to block harvesters. I am using Fail2ban, >> but must not have it set up correctly to block the harvesters after 3 >> attempts. If anyone can shed some light on how to set this up it >> would be greatly appreciated. >> >> Here is my vpopmail logwatch >> > > *OSSEC http://www.ossec.net/ > > " OSSEC is an Open Source Host-based Intrusion Detection System. It > performs log analysis, file integrity checking, policy monitoring, > rootkit detection, real-time alerting and active response." > > Regards > > Constantin * > ------------------------------------- > *E-mail Notification* > ============== > OSSEC HIDS Notification. > 2009 Aug 28 14:09:22 > > Received From: mail->/var/log/maillog > Rule: 9952 fired (level 10) -> "POP3 brute force (email harvesting)." > Portion of the log(s): > > Aug 28 14:09:20 mail vpopmail[5529]: vchkpw-pop3: vpopmail user not > found test@:62.20.103.103 > Aug 28 14:09:20 mail vpopmail[5526]: vchkpw-pop3: vpopmail user not > found support@:62.20.103.103 > .............................................................. > Aug 28 14:09:17 mail vpopmail[5501]: vchkpw-pop3: vpopmail user not > found support@:62.20.103.103 > Aug 28 14:09:16 mail vpopmail[5497]: vchkpw-pop3: vpopmail user not > found support@:62.20.103.103 > ------------------------------- > OSSEC HIDS Notification. > 2009 Aug 28 14:19:56 > > Received From: mail->/var/log/maillog > Rule: 9952 fired (level 10) -> "POP3 brute force (email harvesting)." > Portion of the log(s): > > Aug 28 14:19:55 mail vpopmail[6175]: vchkpw-pop3: vpopmail user not > found demo@:62.20.103.103 > Aug 28 14:19:55 mail vpopmail[6169]: vchkpw-pop3: vpopmail user not > found backup@:62.20.103.103 > ................................................. > Aug 28 14:19:53 mail vpopmail[6147]: vchkpw-pop3: vpopmail user not > found demo@:62.20.103.103 > Aug 28 14:19:53 mail vpopmail[6144]: vchkpw-pop3: vpopmail user not > found news@:62.20.103.103 > ------------------------------------------- > *active-responses.log* > > Fri Aug 28 14:09:22 EEST 2009 > /var/ossec/active-response/bin/firewall-drop.sh add - 62.20.103.103 > 1251457762.234301 9952 > Fri Aug 28 14:09:22 EEST 2009 > /var/ossec/active-response/bin/host-deny.sh add - 62.20.103.103 > 1251457762.234301 9952 > Fri Aug 28 14:19:52 EEST 2009 > /var/ossec/active-response/bin/firewall-drop.sh delete - 62.20.103.103 > 1251457762.234301 9952 > Fri Aug 28 14:19:52 EEST 2009 > /var/ossec/active-response/bin/host-deny.sh delete - 62.20.103.103 > 1251457762.234301 9952 > Fri Aug 28 14:19:56 EEST 2009 > /var/ossec/active-response/bin/host-deny.sh add - 62.20.103.103 > 1251458396.242407 9952 > Fri Aug 28 14:19:56 EEST 2009 > /var/ossec/active-response/bin/firewall-drop.sh add - 62.20.103.103 > 1251458396.242407 9952 > Fri Aug 28 14:30:26 EEST 2009 > /var/ossec/active-response/bin/host-deny.sh delete - 62.20.103.103 > 1251458396.242407 9952 > Fri Aug 28 14:30:26 EEST 2009 > /var/ossec/active-response/bin/firewall-drop.sh delete - 62.20.103.103 > 1251458396.242407 9952 > > > --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
