Re: [qmailtoaster] Re: SMTP attack
Nice, that's great! :) Just a little question: I don't get this HOST (I've also read the wiki but it's not clear) can you do an example, please? Thanks, Cheers! Il 05/03/2011 23:26, Sergio M ha scritto: Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ Nessun virus nel messaggio. Controllato da AVG - www.avg.com http://www.avg.com Versione: 10.0.1204 / Database dei virus: 1435/3480 - Data di rilascio: 03/03/2011 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
HOST is an alias for a regular expression to find the ip address. Which is defined in the code. Succes, Peter. Nice, that's great! :) Just a little question: I don't get this HOST (I've also read the wiki but it's not clear) can you do an example, please? Thanks, Cheers! Il 05/03/2011 23:26, Sergio M ha scritto: Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ Nessun virus nel messaggio. Controllato da AVG - www.avg.com http://www.avg.com Versione: 10.0.1204 / Database dei virus: 1435/3480 - Data di rilascio: 03/03/2011 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and
Re: [qmailtoaster] Re: SMTP attack
Hi. HOST matches either the Ip address or the hostname Cheers Finn On 08-03-2011 09:04, Digital Instruments wrote: Nice, that's great! :) Just a little question: I don't get this HOST (I've also read the wiki but it's not clear) can you do an example, please? Thanks, Cheers! Il 05/03/2011 23:26, Sergio M ha scritto: Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ Nessun virus nel messaggio. Controllato da AVG - www.avg.com http://www.avg.com Versione: 10.0.1204 / Database dei virus: 1435/3480 - Data di rilascio: 03/03/2011 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
On 07-Mar-11 21:49, Eric Shubert wrote: Great job, Pak. Thanks, Toma. Pak, will you get this incorporated into the wiki? TIA. Ok Eric, it's done but since I just copy-paste as is and re-formatting, I didn't know what that fail2ban meaning (I haven't tried it also) but, I saw something weird. So I would like to ask Sergio, Toma and other who understand fail2ban @Sergio, you create a filter named /etc/fail2ban/filter.d/vpopmail-fail.conf but the regex is searching for vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST and how come on action you blocking smtp port rather then pop3 port action = iptables[name=SMTP, port=smtp, protocol=tcp] @Toma, I have change logpath = /your/path/to/pop3/logs into logpath = /var/log/maillog because that is the log where I can find error vpopmail user not found on qmt system btw I have change action = shorewall into action = iptables[name=SMTP, port=smtp, protocol=tcp] and the question also same, why did you block smtp port for error in pop3 log I think we need standardize fail2ban rules for QMT - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
On 3/8/2011 11:18 AM, Pak Ogah wrote: On 07-Mar-11 21:49, Eric Shubert wrote: Great job, Pak. Thanks, Toma. Pak, will you get this incorporated into the wiki? TIA. Ok Eric, it's done but since I just copy-paste as is and re-formatting, I didn't know what that fail2ban meaning (I haven't tried it also) but, I saw something weird. So I would like to ask Sergio, Toma and other who understand fail2ban @Sergio, you create a filter named /etc/fail2ban/filter.d/vpopmail-fail.conf but the regex is searching for vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST and how come on action you blocking smtp port rather then pop3 port action = iptables[name=SMTP, port=smtp, protocol=tcp] @Toma, I have change logpath = /your/path/to/pop3/logs into logpath = /var/log/maillog because that is the log where I can find error vpopmail user not found on qmt system btw I have change action = shorewall into action = iptables[name=SMTP, port=smtp, protocol=tcp] and the question also same, why did you block smtp port for error in pop3 log I think we need standardize fail2ban rules for QMT - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com Hello, If your system have shorewall as firewall solution management we get 'action' statement from /etc/fail2ban/jail.conf --- [qmail-pop3] enable = true filter = qmail-pop3 action = shorewall sendmail[name=Qmail Pop3 user fail, dest=y...@yourdomain.com] logpath = /path/to/logfile maxretry = 3 bantime = 600 --- now action refer to a file from /etc/fail2ban/action.d shorewall.conf ( as shorewall from action line above ) and sendmail.conf ( as sendmail from action line above ) where we have: shorewall.conf --- [Definition] actionstart = actionstop = actioncheck = actionban = shorewall drop ip actionunban = shorewall allow ip - and sendmail.conf --- [Definition] actionstart = printf %%b Subject: [Fail2Ban] name: started From: Fail2Ban sender To: dest\n Hi,\n The jail name has been started successfully.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actionstop = printf %%b Subject: [Fail2Ban] name: stopped From: Fail2Ban sender To: dest\n Hi,\n The jail name has been stopped.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actioncheck = actionban = printf %%b Subject: [Fail2Ban] name: banned ip From: Fail2Ban sender To: dest\n Hi,\n The IP ip has just been banned by Fail2Ban after failures attempts against name.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actionunban = printf %%b Subject: [Fail2Ban] name: unbanned ip From: Fail2Ban sender To: dest\n Hi,\n The IP ip has just been unbanned by Fail2Ban Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest [Init] name = default dest = root sender = fail2ban - when used with shorewall the HOST is passet to shorewall as shorewall drop ip and the ip will be droped ( there is no use of port or protocol ) i never user iptables action on fail2ban, sorry, i have to do some tests...
Re: Re: [qmailtoaster] Re: SMTP attack
Pak Ogah escribió: div class=moz-text-flowed style=font-family: -moz-fixedOn 07-Mar-11 21:49, Eric Shubert wrote: Great job, Pak. Thanks, Toma. Pak, will you get this incorporated into the wiki? TIA. Ok Eric, it's done but since I just copy-paste as is and re-formatting, I didn't know what that fail2ban meaning (I haven't tried it also) but, I saw something weird. So I would like to ask Sergio, Toma and other who understand fail2ban @Sergio, you create a filter named /etc/fail2ban/filter.d/vpopmail-fail.conf but the regex is searching for vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST and how come on action you blocking smtp port rather then pop3 port action = iptables[name=SMTP, port=smtp, protocol=tcp] @Toma, I have change logpath = /your/path/to/pop3/logs into logpath = /var/log/maillog because that is the log where I can find error vpopmail user not found on qmt system btw I have change action = shorewall into action = iptables[name=SMTP, port=smtp, protocol=tcp] and the question also same, why did you block smtp port for error in pop3 log I think we need standardize fail2ban rules for QMT /div Hi Pak, I created the filter to block IPs that try to log into the SMTP, guessing passwords. Thats why I use a regex that searches for 'password fail' and blocks SMTP and not POP3. I think there's a standard fail2ban filter that blocks POP3 logins, but could not make it work. Regards, Sergio PS: Thanks for the formatting BTW! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
okay thank you for your explanation On 08-Mar-11 19:43, Toma Bogdan wrote: Hello, If your system have shorewall as firewall solution management we get 'action' statement from /etc/fail2ban/jail.conf --- [qmail-pop3] enable = true filter = qmail-pop3 action = shorewall sendmail[name=Qmail Pop3 user fail, dest=y...@yourdomain.com] logpath = /path/to/logfile maxretry = 3 bantime = 600 --- now action refer to a file from /etc/fail2ban/action.d shorewall.conf ( as shorewall from action line above ) and sendmail.conf ( as sendmail from action line above ) where we have: shorewall.conf --- [Definition] actionstart = actionstop = actioncheck = actionban = shorewall drop ip actionunban = shorewall allow ip - and sendmail.conf --- [Definition] actionstart = printf %%b Subject: [Fail2Ban] name: started From: Fail2Ban sender To: dest\n Hi,\n The jail name has been started successfully.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actionstop = printf %%b Subject: [Fail2Ban] name: stopped From: Fail2Ban sender To: dest\n Hi,\n The jail name has been stopped.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actioncheck = actionban = printf %%b Subject: [Fail2Ban] name: banned ip From: Fail2Ban sender To: dest\n Hi,\n The IP ip has just been banned by Fail2Ban after failures attempts against name.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actionunban = printf %%b Subject: [Fail2Ban] name: unbanned ip From: Fail2Ban sender To: dest\n Hi,\n The IP ip has just been unbanned by Fail2Ban Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest
Re: [qmailtoaster] Re: SMTP attack
Oke done, prettified with some minor changes http://wiki.qmailtoaster.com/index.php/Fail2Ban On 06-Mar-11 5:26, Sergio M wrote: Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Used on Centos 5.5
/etc/fail2ban/filter.d/qmail-pop3.conf
--- start cut --
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named host. The tag
HOST can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?Phost\S+)
# Values: TEXT
#
failregex = vchkpw-pop3: vpopmail user not found .*:HOST
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
--- end cut ---
jail.conf
[qmail-pop3]
enable = true
filter = qmail-pop3
action = shorewall
sendmail[name=Qmail Pop3 user fail,
dest=changet...@yourdomain.com]
logpath = /your/path/to/pop3/logs
maxretry = 3
bantime = 600
=
T.Bogdan
Sys Net Admin
Direkt Network
http://www.direkt.ro
-
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP attack
Great job, Pak.
Thanks, Toma.
Pak, will you get this incorporated into the wiki?
TIA.
--
-Eric 'shubes'
On 03/07/2011 02:37 AM, Toma Bogdan wrote:
Used on Centos 5.5
/etc/fail2ban/filter.d/qmail-pop3.conf
--- start cut --
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named host. The tag HOST can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?Phost\S+)
# Values: TEXT
#
failregex = vchkpw-pop3: vpopmail user not found .*:HOST
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
--- end cut ---
jail.conf
[qmail-pop3]
enable = true
filter = qmail-pop3
action = shorewall
sendmail[name=Qmail Pop3 user fail, dest=changet...@yourdomain.com]
logpath = /your/path/to/pop3/logs
maxretry = 3
bantime = 600
=
T.Bogdan
Sys Net Admin
Direkt Network
http://www.direkt.ro
-
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
-
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
I'll try to prettified for you :D On 06-Mar-11 5:26, Sergio M wrote: Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric Shubert escribi: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=""> Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP attack
Thanks, David. FWIW, I agree with what you're saying. Most are just script kiddies, and lack any substantial skills. If they had greater skills, I would hope that they'd be doing something more constructive. -- -Eric 'shubes' On 03/03/2011 08:31 PM, David Milholen wrote: Eric, Ill see what I can do. Ill review my old notes on adding it to my system and what kind of config I used to have success. I will also list the script that has the trigger for a honeypot server. Yes, Hackers are stupid because they are not using their talent for a greater cause. I was an ANTI-Hacker for years in the Army and after a while they just became pests. --Dave On 3/3/2011 10:25 AM, Eric Shubert wrote: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). -- David Milholen Project Engineer P:501-318-1300 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). I wrote some basic stuff, but it needs proper wiki formatting, specially the code snipets and quotes. Thanks! -- pre Sergio M mailto:sergio...@gmail.com /pre font face=Verdana, Arial, Helvetica, sans-serif size=3 color=#00CC00bP: /b/fontfont face=Verdana, Arial, Helvetica, sans-serif size=1 color=#66iquest;Realmente necesitaacute;s imprimir este correo electroacute;nico? Ahorremos papel./font - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP attack
David, Thanks, David. BTW, can you find a few moments to get a wiki page for fail2ban started? Even if it's just a rough outline along with your configuration, that would be helpful. I'm sure others can add more details once something's there to work with. TIA. -- -Eric 'shubes' Thanks, David. On 03/02/2011 09:08 PM, David Milholen wrote: +1000 on this solution. It works for me. I also have a honeypot that these ips get thrown into and trapped after so many attempts. Stupid Hackers LOL:) --Dave On 3/1/2011 7:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- David Milholen Project Engineer P:501-318-1300 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
On 03/02/2011 09:08 PM, David Milholen wrote: +1000 on this solution. It works for me. I also have a honeypot that these ips get thrown into and trapped after so many attempts. Stupid Hackers LOL:) --Dave rofl, I doubt you will ever call an hacker stupid. Prolly they are just kids having fun. Anyway, please, I agree with the other listers, if someone can start a wiki for f2b would be awesome. /Cheers A.
Re: [qmailtoaster] Re: SMTP attack
It's funny that I should check back in. I just installed fail2ban to deal with another issue, however realized it could stop a lot of RBL traffic if I just banned IP addresses so also added it for qmail. If someone gets a wiki started, I'd certainly look at contributing. (hence my previous post on logging pop3 failures!) - Original Message From: Eric Shubert e...@shubes.net To: qmailtoaster-list@qmailtoaster.com Sent: Thu, March 3, 2011 8:28:57 AM Subject: [qmailtoaster] Re: SMTP attack David, Thanks, David. BTW, can you find a few moments to get a wiki page for fail2ban started? Even if it's just a rough outline along with your configuration, that would be helpful. I'm sure others can add more details once something's there to work with. TIA. -- -Eric 'shubes' Thanks, David. On 03/02/2011 09:08 PM, David Milholen wrote: +1000 on this solution. It works for me. I also have a honeypot that these ips get thrown into and trapped after so many attempts. Stupid Hackers LOL:) --Dave On 3/1/2011 7:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- David Milholen Project Engineer P:501-318-1300 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP attack
Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). -- -Eric 'shubes' On 03/03/2011 08:49 AM, Nigel Reed wrote: It's funny that I should check back in. I just installed fail2ban to deal with another issue, however realized it could stop a lot of RBL traffic if I just banned IP addresses so also added it for qmail. If someone gets a wiki started, I'd certainly look at contributing. (hence my previous post on logging pop3 failures!) - Original Message From: Eric Shuberte...@shubes.net To: qmailtoaster-list@qmailtoaster.com Sent: Thu, March 3, 2011 8:28:57 AM Subject: [qmailtoaster] Re: SMTP attack David, Thanks, David. BTW, can you find a few moments to get a wiki page for fail2ban started? Even if it's just a rough outline along with your configuration, that would be helpful. I'm sure others can add more details once something's there to work with. TIA. -- -Eric 'shubes' Thanks, David. On 03/02/2011 09:08 PM, David Milholen wrote: +1000 on this solution. It works for me. I also have a honeypot that these ips get thrown into and trapped after so many attempts. Stupid Hackers LOL:) --Dave On 3/1/2011 7:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- David Milholen Project Engineer P:501-318-1300 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
When I said get a wiki started I meant create an article with some substance that I can add to ;) You really don't want to let me loose on a brand new one. - Original Message From: Eric Shubert e...@shubes.net To: qmailtoaster-list@qmailtoaster.com Sent: Thu, March 3, 2011 10:25:20 AM Subject: [qmailtoaster] Re: SMTP attack Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). -- -Eric 'shubes' On 03/03/2011 08:49 AM, Nigel Reed wrote: It's funny that I should check back in. I just installed fail2ban to deal with another issue, however realized it could stop a lot of RBL traffic if I just banned IP addresses so also added it for qmail. If someone gets a wiki started, I'd certainly look at contributing. (hence my previous post on logging pop3 failures!) - Original Message From: Eric Shuberte...@shubes.net To: qmailtoaster-list@qmailtoaster.com Sent: Thu, March 3, 2011 8:28:57 AM Subject: [qmailtoaster] Re: SMTP attack David, Thanks, David. BTW, can you find a few moments to get a wiki page for fail2ban started? Even if it's just a rough outline along with your configuration, that would be helpful. I'm sure others can add more details once something's there to work with. TIA. -- -Eric 'shubes' Thanks, David. On 03/02/2011 09:08 PM, David Milholen wrote: +1000 on this solution. It works for me. I also have a honeypot that these ips get thrown into and trapped after so many attempts. Stupid Hackers LOL:) --Dave On 3/1/2011 7:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- David Milholen Project Engineer P:501-318-1300 - - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric, Ill see what I can do. Ill review my old notes on adding it to my system and what kind of config I used to have success. I will also list the script that has the trigger for a honeypot server. Yes, Hackers are stupid because they are not using their talent for a greater cause. I was an ANTI-Hacker for years in the Army and after a while they just became pests. --Dave On 3/3/2011 10:25 AM, Eric Shubert wrote: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=""> Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). -- David Milholen Project Engineer P:501-318-1300
Re: [qmailtoaster] Re: SMTP attack
Hi all. I installed and is using fail2ban after Eric wrote about it long time ago. It works perfectly and is doing a nice job blocking different attemps on my server. (Iptables drop ip) I am using dovecot and is having fail2ban checking the dovecot log for bad password attempts (amongst other checks) - works great. If You download the fail2ban package (and compile it) there is a qmail.conf script implemented, it may need some tweaking to match Your needs but it's not that hard - You can try Your 'selfmade' conf files on Your logfiles to make sure they work as You planned. It also uses iptables. I can only recommend using this tool, it keeps an 'eye' on things constantly - ofcourse there is people out there that makes an effort in trying to bypass fail2ban so never think You're 100% safe. Regards, Finn On 02-03-2011 06:05, Tony White wrote: Trouble is Fail2Ban requires the shorewall firewall! At least if you use the rpm's. On 02/03/2011 3:58 PM, Maxwell Smart wrote: I actually use OSSECHIDS for this type of attack. I use fail2ban for ftp and ssh. Ole is the chap that knows fail2ban for Qmail. You can install it now using yum install fail2ban instead of compiling. On 03/01/2011 06:40 PM, Eric Shubert wrote: If CJ got it working, then I expect that just about anyone can do it. ;) JK CJ. Would you care to create a page on the wiki for this? - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
a page on the wiki sounds like a hero of a thing . I know that i would like some wisdom on how to implement fail2ban with my qmailtoaster On 3/1/2011 9:40 PM, Eric Shubert wrote: If CJ got it working, then I expect that just about anyone can do it. ;) JK CJ. Would you care to create a page on the wiki for this?
Re: [qmailtoaster] Re: SMTP attack
Eric: hi, sorry im a new here (principiant), wath do you think about DENYHOST, insted of fail2ban i use DENYHOST as a service and work good. Gustavo 2011/3/1 Eric Shubert e...@shubes.net Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- -Eric 'shubes' On 03/01/2011 06:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25 2011-03-01
[qmailtoaster] Re: SMTP attack
Hey Gustavo. I don't know about it, so I have no opinion. Please post a link to more info. Thanks. If someone else has some thoughts on this, please chime in. -- -Eric 'shubes' On 03/02/2011 10:49 AM, Gustavo De Poli wrote: Eric: hi, sorry im a new here (principiant), wath do you think about DENYHOST, insted of fail2ban i use DENYHOST as a service and work good. Gustavo 2011/3/1 Eric Shubert e...@shubes.net mailto:e...@shubes.net Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- -Eric 'shubes' On 03/01/2011 06:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br http://189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com http://rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass:
Re: [qmailtoaster] Re: SMTP attack
DENYHOST works only for SSHD . 2011/3/2 Eric Shubert e...@shubes.net Hey Gustavo. I don't know about it, so I have no opinion. Please post a link to more info. Thanks. If someone else has some thoughts on this, please chime in. -- -Eric 'shubes' On 03/02/2011 10:49 AM, Gustavo De Poli wrote: Eric: hi, sorry im a new here (principiant), wath do you think about DENYHOST, insted of fail2ban i use DENYHOST as a service and work good. Gustavo 2011/3/1 Eric Shubert e...@shubes.net mailto:e...@shubes.net Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- -Eric 'shubes' On 03/01/2011 06:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br http://189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com http://rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org http://zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231
Re: [qmailtoaster] Re: SMTP attack
+1000 on this solution. It works for me. I also have a honeypot that these ips get thrown into and trapped after so many attempts. Stupid Hackers LOL:) --Dave On 3/1/2011 7:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- David Milholen Project Engineer P:501-318-1300
[qmailtoaster] Re: SMTP attack
Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run qtp-install-spamdyke to upgrade to the latest version. .) I would recommend installing fail2ban. This will automatically ban IP addresses which have several failed login attempts. There doesn't appear to be a wiki page about this yet (ANY TAKERS??), but you should find info about it in the list archives. Someone here should be able to help if you run into difficulty with it. (Not me though, as I haven't implemented it yet). .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor handle twice that number. You might need to bump up the spamassassin child processes to get there, but it should be doable. What are your HW specs? That's all that comes to my mind right now. Let us know how you make out. -- -Eric 'shubes' On 03/01/2011 05:25 PM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01
[qmailtoaster] Re: SMTP attack
Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- -Eric 'shubes' On 03/01/2011 06:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. On 02/03/2011 11:25 AM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01 20:54:02.157443500 tcpserver: pid 4881 from 190.172.129.24 2011-03-01 20:54:02.157530500 tcpserver: ok 4881 mail.myhost.com.ar:11.22.33.44:25 :190.172.129.24::14782 2011-03-01 20:54:05.433208500 tcpserver: end 4857 status 0 2011-03-01 20:54:05.433211500 tcpserver: status: 24/25 2011-03-01 20:54:05.433212500 tcpserver: status: 25/25 2011-03-01 20:54:05.433213500 tcpserver: pid 4903 from 189.78.49.139 2011-03-01 20:54:05.433215500 tcpserver: ok 4903 mail.myhost.com.ar:11.22.33.44:25 :189.78.49.139::36877 2011-03-01 20:54:06.075161500 tcpserver: end 4800 status 0 2011-03-01 20:54:06.075164500 tcpserver: status: 24/25 2011-03-01 20:54:06.075165500 tcpserver: status: 25/25 2011-03-01 20:54:06.075166500 tcpserver: pid 4908 from 186.114.65.254 2011-03-01 20:54:06.075168500 tcpserver: ok 4908 mail.myhost.com.ar:11.22.33.44:25 :186.114.65.254::13026 2011-03-01 20:54:06.441699500 tcpserver: end 4821 status 0 2011-03-01
Re: [qmailtoaster] Re: SMTP attack
Agreed Eric, but this is a VERY quick simple fix when the thing starts! On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- best wishes Tony White Yea Computing Services http://www.ycs.com.au 4 The Crescent Yea Victoria Australia 3717 Telephone No's VIC : 03 9008 5614 FAX : 03 9008 5610 (FAX2Email) IMPORTANT NOTICE This communication including any file attachments is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, or the person responsible for delivering this communication to the intended recipient, please immediately notify the sender by email and delete the original transmission and its contents. Any unauthorised use, dissemination, forwarding, printing or copying of this communication including file attachments is prohibited. It is your responsibility to scan this communication including any file attachments for viruses and other defects. To the extent permitted by law, Yea Computing Services and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric Shubert escribió: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run qtp-install-spamdyke to upgrade to the latest version. .) I would recommend installing fail2ban. This will automatically ban IP addresses which have several failed login attempts. There doesn't appear to be a wiki page about this yet (ANY TAKERS??), but you should find info about it in the list archives. Someone here should be able to help if you run into difficulty with it. (Not me though, as I haven't implemented it yet). .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor handle twice that number. You might need to bump up the spamassassin child processes to get there, but it should be doable. What are your HW specs? That's all that comes to my mind right now. Let us know how you make out. Thanks Eric! I updated spamdyke this morning. I have a Quad-Core AMD Opteron(tm) Processor 1354 cpu MHz : 1100.000 with 1Gb RAM. Using 25 sessions, in a normal day its never gets past 20 of 25. I thought about raising them, but they will all get used by spammers. What about those child processes you mentioned? I am also looking at fail2ban. @Carlos: Graylisting is not working because mail is not accepted, but the sessions are used anyway. Thanks guys! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. -- best wishes Tony White - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
I think he said he is not an user yet, but i am looking at: http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html Tony White escribió: Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP attack
I don't think so. The hacker is trying to authenticate, and failing. Greylisting would prohibit mail from being received, but the problem occurs before an email is transmitted. Thanks for the suggestion though. -- -Eric 'shubes' On 03/01/2011 06:38 PM, Carlos Herrera Polo wrote: Greylisting process not work in this problem ? 2011/3/1, Eric Shuberte...@shubes.net: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run qtp-install-spamdyke to upgrade to the latest version. .) I would recommend installing fail2ban. This will automatically ban IP addresses which have several failed login attempts. There doesn't appear to be a wiki page about this yet (ANY TAKERS??), but you should find info about it in the list archives. Someone here should be able to help if you run into difficulty with it. (Not me though, as I haven't implemented it yet). .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor handle twice that number. You might need to bump up the spamassassin child processes to get there, but it should be doable. What are your HW specs? That's all that comes to my mind right now. Let us know how you make out. -- -Eric 'shubes' On 03/01/2011 05:25 PM, Sergio M wrote: Hi there list, i have been under heavy traffic since sunday, and its been using all my inbound connections. I have a QMT updated box, running the latest spamdyke: # qtp-whatami /qtp-whatami v0.3.7 Tue Mar 1 21:14:03 ART 2011 DISTRO=CentOS OSVER=5.5 QTARCH=x86_64 QTKERN=2.6.18-194.32.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested/ Even though spamdyke does not let the spammers relay the mail, i still get all the connections used, making it very hard for authenticated users to send mail. For now I stopped smtpd, but i wanna see if you guys have some other thoughts to solve this. If I see the maillog, i see LOTS of entries like these: /Feb 27 14:57:38 mail spamdyke[31069]: FILTER_RBL_MATCH ip: 201.0.152.106 rbl: zen.spamhaus.org Feb 27 14:57:38 mail vpopmail[31072]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:38 mail spamdyke[31071]: FILTER_RBL_MATCH ip: 201.43.79.201 rbl: zen.spamhaus.org Feb 27 14:57:38 mail spamdyke[31075]: FILTER_BLACKLIST_IP ip: 187.106.1.158 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:38 mail vpopmail[31077]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:201.250.40.202 Feb 27 14:57:38 mail spamdyke[31080]: FILTER_RBL_MATCH ip: 201.81.74.149 rbl: zen.spamhaus.org Feb 27 14:57:39 mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 Feb 27 14:57:39 mail spamdyke[31084]: FILTER_RDNS_RESOLVE ip: 189.106.88.244 rdns: 189106088244.user.veloxzone.com.br Feb 27 14:57:40 mail vpopmail[31086]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.43.79.201 Feb 27 14:57:40 mail vpopmail[31088]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.106.88.244 Feb 27 14:57:41 mail spamdyke[31090]: FILTER_RDNS_RESOLVE ip: 200.105.97.83 rdns: rev.97.83-telecablecr.com Feb 27 14:57:42 mail vpopmail[31092]: vchkpw-smtp: password fail (pass: 'jdorm253') jorgerodrig...@domain.com:187.106.1.158 Feb 27 14:57:42 mail vpopmail[31095]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:201.0.152.106 Feb 27 14:57:42 mail spamdyke[31094]: FILTER_RBL_MATCH ip: 93.39.224.8 rbl: zen.spamhaus.org Feb 27 14:57:42 mail vpopmail[31098]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:200.45.73.226 Feb 27 14:57:43 mail spamdyke[31100]: FILTER_RBL_MATCH ip: 189.54.236.113 rbl: zen.spamhaus.org Feb 27 14:57:43 mail spamdyke[31102]: FILTER_BLACKLIST_IP ip: 187.119.172.80 file: /var/qmail/control/ip-blacklist(75) Feb 27 14:57:43 mail vpopmail[31105]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:189.114.176.151 Feb 27 14:57:44 mail vpopmail[31107]: vchkpw-smtp: password fail (pass: 'luckymi') lucianos...@domain.com:190.158.93.231 Feb 27 14:57:44 mail vpopmail[31110]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:93.39.224.8/ So i guess some botnet is trying to relay mail guessing a specific domain user's passwords. Most of the attempts are blocked by RBL checking, but that still create a connection. Looking at # cat /var/log/qmail/smtp/current | tai64nlocal /2011-03-01 20:54:01.905947500 tcpserver: pid 4879 from 189.6.164.77 2011-03-01 20:54:01.906030500 tcpserver: ok 4879 mail.myhost.com.ar:11.22.33.44:25 :189.6.164.77::37629 2011-03-01 20:54:02.157286500 tcpserver: end 4797 status 0 2011-03-01 20:54:02.157289500 tcpserver: status: 24/25 2011-03-01 20:54:02.157290500 tcpserver: status: 25/25 2011-03-01
[qmailtoaster] Re: SMTP attack
True enough. Can be a quick and dirty (temporary) fix. -- -Eric 'shubes' On 03/01/2011 06:44 PM, Tony White wrote: Agreed Eric, but this is a VERY quick simple fix when the thing starts! On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP attack
If CJ got it working, then I expect that just about anyone can do it. ;) JK CJ. Would you care to create a page on the wiki for this? -- -Eric 'shubes' On 03/01/2011 06:58 PM, Cecil Yother, Jr. wrote: Tony, Does this append the existing iptable with the offending IP? I use fail2ban and it works great. OSSEC HIDS is a good tool too. I use them both actually. CJ On 03/01/2011 05:14 PM, Tony White wrote: Try this at the command line and as root! iptables -I INPUT -s 11.22.33.44 -j DROP This will stop him dead in his tracks. You can use this command for any ip address that gives you a problem. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP attack
I haven't implemented Fail2Ban yet. Been meaning to, but haven't had the need. I believe others on this list have though. -- -Eric 'shubes' On 03/01/2011 06:52 PM, Tony White wrote: Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
I actually use OSSECHIDS for this type of attack. I use fail2ban for ftp and ssh. Ole is the chap that knows fail2ban for Qmail. You can install it now using yum install fail2ban instead of compiling. On 03/01/2011 06:40 PM, Eric Shubert wrote: If CJ got it working, then I expect that just about anyone can do it. ;) JK CJ. Would you care to create a page on the wiki for this? -- Cecil Yother, Jr. cj cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Trouble is Fail2Ban requires the shorewall firewall! At least if you use the rpm's. On 02/03/2011 3:58 PM, Maxwell Smart wrote: I actually use OSSECHIDS for this type of attack. I use fail2ban for ftp and ssh. Ole is the chap that knows fail2ban for Qmail. You can install it now using yum install fail2ban instead of compiling. On 03/01/2011 06:40 PM, Eric Shubert wrote: If CJ got it working, then I expect that just about anyone can do it. ;) JK CJ. Would you care to create a page on the wiki for this? -- best wishes Tony White Yea Computing Services http://www.ycs.com.au 4 The Crescent Yea Victoria Australia 3717 Telephone No's VIC : 03 9008 5614 FAX : 03 9008 5610 (FAX2Email) IMPORTANT NOTICE This communication including any file attachments is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, or the person responsible for delivering this communication to the intended recipient, please immediately notify the sender by email and delete the original transmission and its contents. Any unauthorised use, dissemination, forwarding, printing or copying of this communication including file attachments is prohibited. It is your responsibility to scan this communication including any file attachments for viruses and other defects. To the extent permitted by law, Yea Computing Services and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
