Re: [courier-users] attacks
Leigh S. Jones, KR6X wrote: > My understanding was that the contents of smtpaccess.dat only affected > port 25. Thus additional changes would be required to block attempted > compromises on other ports. Perhaps using a good firewall would be better? I mean, I hear that linux has a command line driven software firewall that could be of use if scripted. Could operate similar to timed ban lists on chat rooms... So many invalid logins from host x in period y and the script updates the firewall to just drop everything from that host until removed. Have it set to remove in like a day or two. Might get a bit complicated but perhaps even an SQL database of previous offending IP's could be used to do increasing time limited bans for repeat offenders. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] attacks
My understanding was that the contents of smtpaccess.dat only affected port 25. Thus additional changes would be required to block attempted compromises on other ports. - Original Message - From: "Gordon Messmer" <[EMAIL PROTECTED]> To: Sent: Sunday, February 03, 2008 6:53 PM Subject: Re: [courier-users] attacks > Leigh S. Jones, KR6X wrote: >> I created the macro (variable) $TCPDACCESS pointing to my ".dat" >> file and tucked it in in front of $TCPDOPTS in the call starting up >> the daemons in "/etc/init.d/courier-pop", "/etc/init.d/courier-pop-ssl", >> "/etc/init.d/courier-imap", and "/etc/init.d/courier-imap-ssl" and ran >> the makedat script against a small sample of bothersome ip addresses >> from the last few minutes of the logs. I haven't seen any problems >> arising from the change, but haven't yet proven to myself that >> couriertcpd is rejecting anyone. >> > > I think you're making the process somewhat more difficult than it needs > to be. The changes you've made would need to be patched in to future > version of courier when you upgrade... > > If you'd simply put the banned list in /etc/courier/smtpaccess/banned, > and run "makesmtpaccess", no changes to the init scripts would have been > required. > > > - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ > ___ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users > - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] attacks
Leigh S. Jones, KR6X wrote: > I created the macro (variable) $TCPDACCESS pointing to my ".dat" > file and tucked it in in front of $TCPDOPTS in the call starting up > the daemons in "/etc/init.d/courier-pop", "/etc/init.d/courier-pop-ssl", > "/etc/init.d/courier-imap", and "/etc/init.d/courier-imap-ssl" and ran > the makedat script against a small sample of bothersome ip addresses > from the last few minutes of the logs. I haven't seen any problems > arising from the change, but haven't yet proven to myself that > couriertcpd is rejecting anyone. > I think you're making the process somewhat more difficult than it needs to be. The changes you've made would need to be patched in to future version of courier when you upgrade... If you'd simply put the banned list in /etc/courier/smtpaccess/banned, and run "makesmtpaccess", no changes to the init scripts would have been required. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] attacks
>...you should cobble > together some script that parses the log files, and inserts IP > addresses into the blacklist. Thanks for your help, Sam. Yes, I realized this already. I have already implemented "denyhosts" for secure shell and understand the process. > fail2ban is designed to fit your needs Thanks, Jerome. I'm aware of fail2ban and will give it consideration. I created the macro (variable) $TCPDACCESS pointing to my ".dat" file and tucked it in in front of $TCPDOPTS in the call starting up the daemons in "/etc/init.d/courier-pop", "/etc/init.d/courier-pop-ssl", "/etc/init.d/courier-imap", and "/etc/init.d/courier-imap-ssl" and ran the makedat script against a small sample of bothersome ip addresses from the last few minutes of the logs. I haven't seen any problems arising from the change, but haven't yet proven to myself that couriertcpd is rejecting anyone. - Original Message - From: "Jérôme Blion" <[EMAIL PROTECTED]> Cc: Sent: Sunday, February 03, 2008 4:01 PM Subject: Re: [courier-users] attacks Sam Varshavchik a écrit : > Leigh S. Jones, KR6X writes: > >> « HTML content follows » >> >> I'm getting fed up with my bandwidth being gobbled up by numerous >> attackers running dictionary attacks on my users passwords for pop3 >> and imap logins. To that end, I'm hoping to enlist the aid of >> couriertcpd. The way I understand it, I need to build an access >> file with IP addresses followed by a tab then the keyword deny, >> compile it into a binary database using a script similar to >> makesmtpaccess, probably this would invoke >> /usr/lib/courier/courier/makedatprog through the script >> /usr/lib/courier/makedat, and then add the line >> "-access=[filename.dat]" in /etc/init.d/pop3d, etc., pointing to my >> database when invoking the daemons. Have I got this all correctly? > > Yes. There's a script called 'makedat' that's a generic version of > makesmtpaccess, that you can use. > > Having said all that -- this is a losing battle. You'll spend the rest > of your life maintaining this list manually, so you should cobble > together some script that parses the log files, and inserts IP > addresses into the blacklist. fail2ban is designed to fit your needs. HTH. Jerome Blion. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] attacks
Sam Varshavchik a écrit : > Leigh S. Jones, KR6X writes: > >> « HTML content follows » >> >> I'm getting fed up with my bandwidth being gobbled up by numerous >> attackers running dictionary attacks on my users passwords for pop3 >> and imap logins. To that end, I'm hoping to enlist the aid of >> couriertcpd. The way I understand it, I need to build an access >> file with IP addresses followed by a tab then the keyword deny, >> compile it into a binary database using a script similar to >> makesmtpaccess, probably this would invoke >> /usr/lib/courier/courier/makedatprog through the script >> /usr/lib/courier/makedat, and then add the line >> "-access=[filename.dat]" in /etc/init.d/pop3d, etc., pointing to my >> database when invoking the daemons. Have I got this all correctly? > > Yes. There's a script called 'makedat' that's a generic version of > makesmtpaccess, that you can use. > > Having said all that -- this is a losing battle. You'll spend the rest > of your life maintaining this list manually, so you should cobble > together some script that parses the log files, and inserts IP > addresses into the blacklist. fail2ban is designed to fit your needs. HTH. Jerome Blion. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] attacks
Leigh S. Jones, KR6X writes: « HTML content follows » I'm getting fed up with my bandwidth being gobbled up by numerous attackers running dictionary attacks on my users passwords for pop3 and imap logins. To that end, I'm hoping to enlist the aid of couriertcpd. The way I understand it, I need to build an access file with IP addresses followed by a tab then the keyword deny, compile it into a binary database using a script similar to makesmtpaccess, probably this would invoke /usr/lib/courier/courier/makedatprog through the script /usr/lib/courier/makedat, and then add the line "-access=[filename.dat]" in /etc/init.d/pop3d, etc., pointing to my database when invoking the daemons. Have I got this all correctly? Yes. There's a script called 'makedat' that's a generic version of makesmtpaccess, that you can use. Having said all that -- this is a losing battle. You'll spend the rest of your life maintaining this list manually, so you should cobble together some script that parses the log files, and inserts IP addresses into the blacklist. pgpTvyEmyI8ii.pgp Description: PGP signature - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] attacks
I'm getting fed up with my bandwidth being gobbled up by numerous attackers running dictionary attacks on my users passwords for pop3 and imap logins. To that end, I'm hoping to enlist the aid of couriertcpd. The way I understand it, I need to build an access file with IP addresses followed by a tab then the keyword deny, compile it into a binary database using a script similar to makesmtpaccess, probably this would invoke /usr/lib/courier/courier/makedatprog through the script /usr/lib/courier/makedat, and then add the line "-access=[filename.dat]" in /etc/init.d/pop3d, etc., pointing to my database when invoking the daemons. Have I got this all correctly? - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
