Re: [Assp-user] ASSP fail2ban

2010-05-27 Thread GrayHat 
 On a shared server, it is showing  User unknown attempts for
 some 15 to 30 domains in thousands like 5000 to 1 from
 various IP source, which seems be using resources
 unnecessarily.

 Is there a way to configure assp to discard such attempts from any
 ips (if possible for 24 hours), if it repeats User unknown attempts
 for 3 times per IP ( maybe per hour or per day) in assp

Expand the penaltybox section, set DoPenalty and DoPenaltyMessage
to block, scroll down and set DoPenaltyMakeTraps to make traps
and block them ensuring to also set the PenaltyMakeTraps to 10 or
less (that's up to you); check the PenaltyUseNetblocks and, since you
are at it, set the DoPenaltyExtremeSMTP to block

that should be a decent startup, then you may play with some other
settings in penaltybox, ip blocking, smtp session limits and more ...



--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP fail2ban

2010-05-27 Thread GrayHat 
 
 Just set ValidateUserLog to nolog.

That would just avoid logging not solve the issue
on the other hand setting up ASSP to block those
IPs after they get in penalty extreme would help
sparing resources :)


--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP fail2ban

2010-05-27 Thread Fritz Borgstedt 
GrayHat gray...@gmx.net schreibt:

That would just avoid logging not solve the issue
on the other hand setting up ASSP to block those
IPs after they get in penalty extreme would help
sparing resources :)


That solves the issue because it is just psychological.
I really doubt that blocking IPs in ASSP with penalty extreme would
spare resources compared to invalid user. If you would log the IP
blocking, it would also produce thousands of log entries. If not you
would think, you spare.



--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP fail2ban

2010-05-27 Thread Charles Marcus 
On 2010-05-26 4:01 PM, Paul K. Dickson wrote:
 That's a really bad idea.  ASSP already does that in a sense but is smart
 about it.  Don't reinvent the wheel ;)

Actually fail2ban rocks, and blocks these kinds of things at the
firewall level, so is in that sense more secure.

And it is pretty smart about it too - it can block for limited times, or
permanently, based on what you tell it to do.

No sense in bogging down ASSP any more than need be, especially on a
busy server.

-- 

Best regards,

Charles

--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP fail2ban

2010-05-27 Thread GrayHat 
 
 That solves the issue because it is just psychological.

Uh ?

 I really doubt that blocking IPs in ASSP with penalty extreme 
 would spare resources compared to invalid user. 

Yeah, sure, try getting some thousands attempts in a matter of
seconds (which means some millions connections attempts on
a typical day) and then come back and tell me that performing a
straight reject didn't spare resources

Oh well... no problem btw, you're free to handle your stuff as you
prefer; all in all that's just me g



--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP fail2ban

2010-05-27 Thread GrayHat 
 
 No sense in bogging down ASSP any more than 
 need be, especially on a busy server.

Sounds like Fritz doesn't agree; up to him, by the way, and
really no problem with that; yet I think that, if *properly* set
up, ASSP is perfectly able to deal with such an issue w/o
having to recur to stuff like fail2ban


--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP fail2ban

2010-05-27 Thread Fritz Borgstedt 
GrayHat gray...@gmx.net schreibt:
Sounds like Fritz doesn't agree; up to him

I explained quite a different thing.


--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP fail2ban

2010-05-27 Thread Fritz Borgstedt 
GrayHat gray...@gmx.net schreibt:

Yeah, sure, try getting some thousands attempts in a matter of
seconds (which means some millions connections attempts on
a typical day) and then come back and tell me that performing a
straight reject didn't spare resources

You block thousand attempts with one straight reject? At least in ASSP
that is not possible, you need roughly the same number of rejects on
the ip-level as you do with user invalid rejects.


--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP fail2ban

2010-05-26 Thread Paul K. Dickson 
That's a really bad idea.  ASSP already does that in a sense but is smart
about it.  Don't reinvent the wheel ;)


 From: MadTh madan.feedb...@gmail.com
 Reply-To: For Users of ASSP assp-user@lists.sourceforge.net
 Date: Wed, 26 May 2010 21:48:54 +0200
 To: assp-user@lists.sourceforge.net
 Subject: [Assp-user] ASSP fail2ban
 
 Hi,
 
 In http://www.fail2ban.org/wiki/index.php/ASSP,
 
 
 For following log:
 
 Example: Nov-14-09 00:14:50 54090-05322 201.244.255.72 
 bad...@gtgwhhrthrth.com [SMTP Error] 550 5.1.1 User unknown:
 your.u...@your-domain.com
 
 
 Assp fail regex is :
 failregex = .*? \d{5}-\d{5} HOST .*? \[SMTP Error\] (.*)
 
 
 
 
 
 
 Can you please advise fail regex for log pattern :
 
 May-12-10 13:16:41 82.249.21.94 user unknown te...@somedomain.com;
 
 
 
 where,  fail2ban. will be able to get the IP from above log alert message,
 and then block it in IPtables.
 
 
 
 
 Thanks
 --
 
 ___
 Assp-user mailing list
 Assp-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/assp-user


--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP fail2ban

2010-05-26 Thread MadTh 
On a shared server, it is showing  User unknown attempts for some 15 to 30
domains in thousands like 5000 to 1 from various IP source, which seems
be using resources unnecessarily.

Is there a way to configure assp to discard such attempts from any ips ( if
possible for 24 hours), if it repeats User unknown attempts for 3 times
per IP ( maybe per hour or per day) in assp



Please adivse.




On Wed, May 26, 2010 at 10:01 PM, Paul K. Dickson 
pdick...@frederickcountymd.gov wrote:

 That's a really bad idea.  ASSP already does that in a sense but is smart
 about it.  Don't reinvent the wheel ;)


  From: MadTh madan.feedb...@gmail.com
  Reply-To: For Users of ASSP assp-user@lists.sourceforge.net
  Date: Wed, 26 May 2010 21:48:54 +0200
  To: assp-user@lists.sourceforge.net
  Subject: [Assp-user] ASSP fail2ban
 
  Hi,
 
  In http://www.fail2ban.org/wiki/index.php/ASSP,
 
 
  For following log:
 
  Example: Nov-14-09 00:14:50 54090-05322 201.244.255.72 
  bad...@gtgwhhrthrth.com [SMTP Error] 550 5.1.1 User unknown:
  your.u...@your-domain.com
 
 
  Assp fail regex is :
  failregex = .*? \d{5}-\d{5} HOST .*? \[SMTP Error\] (.*)
 
 
 
 
 
 
  Can you please advise fail regex for log pattern :
 
  May-12-10 13:16:41 82.249.21.94 user unknown te...@somedomain.com;
 
 
 
  where,  fail2ban. will be able to get the IP from above log alert
 message,
  and then block it in IPtables.
 
 
 
 
  Thanks
 
 --
 
  ___
  Assp-user mailing list
  Assp-user@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/assp-user



 --

 ___
 Assp-user mailing list
 Assp-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/assp-user

--

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user