Re: [qmailtoaster] re: harvesting

Fri, 28 Aug 2009 15:51:19 -0700 

Not stupid really. I don't know of one.
Would someone care to create a wiki page about fail2ban on a toaster? Or perhaps write an install script for it that could be included in QTP? 


Ole N.Johansen wrote:

Hello again,


Sounds pretty stupid but is there a script to test “email harvesting” - 
I have to check my fail2ban addition..


Perhaps I got it right, but no one tries to hammer my vpopmail ..

Ole J

------------------------------------------------------------------------

*From:* Constantin IOAJA [mailto:io...@cartel-alfa.ro]
*Sent:* 28. august 2009 21:40
*To:* qmailtoaster-list@qmailtoaster.com
*Subject:* Re: [qmailtoaster] re: harvesting


 


Maxwell Smart wrote:

Greetings fellow Qmailers,


I am trying to find a way to block harvesters.  I am using Fail2ban, but 
must not have it set up correctly to block the harvesters after 3 
attempts.  If anyone can shed some light on how to set this up it would 
be greatly appreciated.


Here is my vpopmail logwatch


*OSSEC        http://www.ossec.net/


" OSSEC is an Open Source Host-based Intrusion Detection System. It 
performs log analysis, file integrity checking, policy monitoring, 
rootkit detection, real-time alerting and active response."


  Regards

    Constantin *
-------------------------------------
*E-mail Notification*
==============
OSSEC HIDS Notification.
2009 Aug 28 14:09:22

Received From: mail->/var/log/maillog
Rule: 9952 fired (level 10) -> "POP3 brute force (email harvesting)."
Portion of the log(s):


Aug 28 14:09:20 mail vpopmail[5529]: vchkpw-pop3: vpopmail user not 
found test@:62.20.103.103 <mailto:test@:62.20.103.103>
Aug 28 14:09:20 mail vpopmail[5526]: vchkpw-pop3: vpopmail user not 
found support@:62.20.103.103 <mailto:support@:62.20.103.103>

..............................................................

Aug 28 14:09:17 mail vpopmail[5501]: vchkpw-pop3: vpopmail user not 
found support@:62.20.103.103 <mailto:support@:62.20.103.103>
Aug 28 14:09:16 mail vpopmail[5497]: vchkpw-pop3: vpopmail user not 
found support@:62.20.103.103 <mailto:support@:62.20.103.103>

-------------------------------
OSSEC HIDS Notification.
2009 Aug 28 14:19:56

Received From: mail->/var/log/maillog
Rule: 9952 fired (level 10) -> "POP3 brute force (email harvesting)."
Portion of the log(s):


Aug 28 14:19:55 mail vpopmail[6175]: vchkpw-pop3: vpopmail user not 
found demo@:62.20.103.103 <mailto:demo@:62.20.103.103>
Aug 28 14:19:55 mail vpopmail[6169]: vchkpw-pop3: vpopmail user not 
found backup@:62.20.103.103 <mailto:backup@:62.20.103.103>

.................................................

Aug 28 14:19:53 mail vpopmail[6147]: vchkpw-pop3: vpopmail user not 
found demo@:62.20.103.103 <mailto:demo@:62.20.103.103>
Aug 28 14:19:53 mail vpopmail[6144]: vchkpw-pop3: vpopmail user not 
found news@:62.20.103.103 <mailto:news@:62.20.103.103>

-------------------------------------------
*active-responses.log*


Fri Aug 28 14:09:22 EEST 2009 
/var/ossec/active-response/bin/firewall-drop.sh add - 62.20.103.103 
1251457762.234301 9952
Fri Aug 28 14:09:22 EEST 2009 
/var/ossec/active-response/bin/host-deny.sh add - 62.20.103.103 
1251457762.234301 9952
Fri Aug 28 14:19:52 EEST 2009 
/var/ossec/active-response/bin/firewall-drop.sh delete - 62.20.103.103 
1251457762.234301 9952
Fri Aug 28 14:19:52 EEST 2009 
/var/ossec/active-response/bin/host-deny.sh delete - 62.20.103.103 
1251457762.234301 9952
Fri Aug 28 14:19:56 EEST 2009 
/var/ossec/active-response/bin/host-deny.sh add - 62.20.103.103 
1251458396.242407 9952
Fri Aug 28 14:19:56 EEST 2009 
/var/ossec/active-response/bin/firewall-drop.sh add - 62.20.103.103 
1251458396.242407 9952
Fri Aug 28 14:30:26 EEST 2009 
/var/ossec/active-response/bin/host-deny.sh delete - 62.20.103.103 
1251458396.242407 9952
Fri Aug 28 14:30:26 EEST 2009 
/var/ossec/active-response/bin/firewall-drop.sh delete - 62.20.103.103 
1251458396.242407 9952






--
-Eric 'shubes'


---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
    Please visit qmailtoaster.com for the latest news, updates, and packages.

    
     To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

























					Reply via email to