Hello again,
Sounds pretty stupid but is there a script to test "email harvesting" - I have to check my fail2ban addition.. Perhaps I got it right, but no one tries to hammer my vpopmail .. Ole J _____ From: Constantin IOAJA [mailto:io...@cartel-alfa.ro] Sent: 28. august 2009 21:40 To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] re: harvesting Maxwell Smart wrote: Greetings fellow Qmailers, I am trying to find a way to block harvesters. I am using Fail2ban, but must not have it set up correctly to block the harvesters after 3 attempts. If anyone can shed some light on how to set this up it would be greatly appreciated. Here is my vpopmail logwatch OSSEC http://www.ossec.net/ " OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response." Regards Constantin ------------------------------------- E-mail Notification ============== OSSEC HIDS Notification. 2009 Aug 28 14:09:22 Received From: mail->/var/log/maillog Rule: 9952 fired (level 10) -> "POP3 brute force (email harvesting)." Portion of the log(s): Aug 28 14:09:20 mail vpopmail[5529]: vchkpw-pop3: vpopmail user not found test@:62.20.103.103 Aug 28 14:09:20 mail vpopmail[5526]: vchkpw-pop3: vpopmail user not found support@:62.20.103.103 .............................................................. Aug 28 14:09:17 mail vpopmail[5501]: vchkpw-pop3: vpopmail user not found support@:62.20.103.103 Aug 28 14:09:16 mail vpopmail[5497]: vchkpw-pop3: vpopmail user not found support@:62.20.103.103 ------------------------------- OSSEC HIDS Notification. 2009 Aug 28 14:19:56 Received From: mail->/var/log/maillog Rule: 9952 fired (level 10) -> "POP3 brute force (email harvesting)." Portion of the log(s): Aug 28 14:19:55 mail vpopmail[6175]: vchkpw-pop3: vpopmail user not found demo@:62.20.103.103 Aug 28 14:19:55 mail vpopmail[6169]: vchkpw-pop3: vpopmail user not found backup@:62.20.103.103 ................................................. Aug 28 14:19:53 mail vpopmail[6147]: vchkpw-pop3: vpopmail user not found demo@:62.20.103.103 Aug 28 14:19:53 mail vpopmail[6144]: vchkpw-pop3: vpopmail user not found news@:62.20.103.103 ------------------------------------------- active-responses.log Fri Aug 28 14:09:22 EEST 2009 /var/ossec/active-response/bin/firewall-drop.sh add - 62.20.103.103 1251457762.234301 9952 Fri Aug 28 14:09:22 EEST 2009 /var/ossec/active-response/bin/host-deny.sh add - 62.20.103.103 1251457762.234301 9952 Fri Aug 28 14:19:52 EEST 2009 /var/ossec/active-response/bin/firewall-drop.sh delete - 62.20.103.103 1251457762.234301 9952 Fri Aug 28 14:19:52 EEST 2009 /var/ossec/active-response/bin/host-deny.sh delete - 62.20.103.103 1251457762.234301 9952 Fri Aug 28 14:19:56 EEST 2009 /var/ossec/active-response/bin/host-deny.sh add - 62.20.103.103 1251458396.242407 9952 Fri Aug 28 14:19:56 EEST 2009 /var/ossec/active-response/bin/firewall-drop.sh add - 62.20.103.103 1251458396.242407 9952 Fri Aug 28 14:30:26 EEST 2009 /var/ossec/active-response/bin/host-deny.sh delete - 62.20.103.103 1251458396.242407 9952 Fri Aug 28 14:30:26 EEST 2009 /var/ossec/active-response/bin/firewall-drop.sh delete - 62.20.103.103 1251458396.242407 9952
