Hi,
I use this to stop immediate attacks...
#!/bin/sh
logf="/var/log/blockip.log"
mdate=`date +%c`
### must be root ###
if [ `whoami` != "root" ]; then
echo ""
echo "$0 must be ran as root"
echo ""
exit 1
fi
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
is_ip="grep -Ec
'^[1-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9](\/[0-3]?[0-9])?$'"
if [ `echo $1 |eval $is_ip` != "1" ]; then
echo "$mdate Error in IP address $1"
else
iptables -I INPUT -s $1 -j DROP
# echo out to rc file to start at reboot
echo "iptables -I INPUT -s $1 -j DROP" >> /etc/rc.d/rc.blockedips
echo "$mdate now dropping all packets from $1" >> $logf
fi
quick and dirty but you can remove it when you like...
hope this helps...
Also use bfd (brute force detection) on pop/ssh/ftp as well. Automatically
stops attacks at 30 invalid login attempts from the same ip address.
http://www.rfxn.com/projects/brute-force-detection/
On 29/10/2010 10:02 AM, David Milholen wrote:
Hi everyone,
I had an interesting day. Starting getting those calls about email clients asking for password. Red flag says "mail
server way too busy"
I investigate and find that vchkpw is taking all of the process load. I look at the number of connections and there were
about 50 from one place in Bulgaria. The only way to drop that way to add a drop rule into the gateway.
What is everyone using to stop this kind of force attack on the pop side?
--Dave
--
David Milholen
Project Engineer
P:501-318-1300
--
best wishes
Tony White
Yea Computing Services
http://www.ycs.com.au
4 The Crescent
Yea
Victoria
Australia 3717
Telephone No's
VIC : 03 5797 3344
VIC : 03 9008 5614
TAS : 03 6107 9099
NT : 08 8921 4049
SA : 08 7123 0847
NSW : 02 8014 5547
QLD : 07 3123 6647
WA : 08 6365 2199
FAX : 03 9008 5610 (FAX2Email)
FAX : 03 5797-3288
IMPORTANT NOTICE
This communication including any file attachments is intended solely for
the use of the individual or entity to whom it is addressed. If you are
not the intended recipient, or the person responsible for delivering
this communication to the intended recipient, please immediately notify
the sender by email and delete the original transmission and its
contents. Any unauthorised use, dissemination, forwarding, printing or
copying of this communication including file attachments is prohibited.
It is your responsibility to scan this communication including any file
attachments for viruses and other defects. To the extent permitted by
law, Yea Computing Services and its associates will not be liable for
any loss or damage arising in any way from this communication including
any file attachments.
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
