Re: [qmailtoaster] vchkpw-smtp attack
W dniu 19.07.2009 21:58, nightduke pisze: Nice tool. I will use it. Thanks Than look at open bugs #219 and #220, there are my 2 proposed patches for proper interpreting Apache log and vpopmail. http://www.ossec.net/bugs/ On http://www.ossec.net/wiki/index.php/SquirrelMail are my rules for SquirrelMail. Below example of vchkpw-smtp attack, aggressor detected and blocked. :) 8<-- Received From: srv->/var/log/maillog Rule: 9952 fired (level 10) -> "VPOPMAIL brute force (email harvesting)." Portion of the log(s): Jul 15 09:43:42 srv vpopmail[24889]: vchkpw-smtp: vpopmail user not foundwebmaster@:121.33.123.239 Jul 15 09:43:33 srv vpopmail[24876]: vchkpw-smtp: vpopmail user not foundwebmaster@:121.33.123.239 Jul 15 09:43:23 srv vpopmail[24863]: vchkpw-smtp: vpopmail user not foundwebmaster@:121.33.123.239 Jul 15 09:43:15 srv vpopmail[24854]: vchkpw-smtp: vpopmail user not foundwebmaster@:121.33.123.239 Jul 15 09:43:07 srv vpopmail[24845]: vchkpw-smtp: vpopmail user not foundwebmaster@:121.33.123.239 Jul 15 09:43:00 srv vpopmail[24838]: vchkpw-smtp: vpopmail user not foundwebmaster@:121.33.123.239 Jul 15 09:42:53 srv vpopmail[24831]: vchkpw-smtp: vpopmail user not foundwebmaster@:121.33.123.239 Jul 15 09:42:47 srv vpopmail[24824]: vchkpw-smtp: vpopmail user not foundwebmaster@:121.33.123.239 Jul 15 09:42:39 srv vpopmail[24815]: vchkpw-smtp: vpopmail user not foundwebmaster@:121.33.123.239 8<-- EOT -- Pozdrawiam / Regards, Aleksander Podsiadły - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] vchkpw-smtp attack
Nice tool. I will use it. Thanks 2009/7/10 Aleksander Podsiadly : > W dniu 09.07.2009 23:28, nightduke pisze: > > i don't understand, can you explain? > > Thanks > > > 2009/7/9 Aleksander Podsiadly : > > > W dniu 07.07.2009 00:36, Jake Vickers pisze: > > > *Those* types of attacks can be handled with fail2ban. > > > And with ossec-hids. > > -- > Pozdrawiam / Regards, > Aleksander Podsiadły > > > - > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > - > Please visit qmailtoaster.com for the latest news, updates, and packages. > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > > > > - > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > - > Please visit qmailtoaster.com for the latest news, updates, and > packages. > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > > > > > > > OSSEC is intrusion detection system. It performs log log analysis, for > example maillog. It can alert you and allows automaticaly execute commands > when a specific event is triggered. It's scalable, you can write your own > rules. > Project site: http://www.ossec.net/ > > Real examples, 2 alerts when when I was writing this post: > 8<-- > > OSSEC HIDS Notification. > 2009 Jul 10 07:49:10 > > Received From: (opatow) xxx.xxx.xxx.xxx->/var/log/secure > > Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the > system." > Portion of the log(s): > > Jul 10 07:49:21 srv sshd[25153]: Invalid user oracle from 211.219.166.235 > Jul 10 07:49:18 srv sshd[25151]: Invalid user bind from 211.219.166.235 > Jul 10 07:48:55 srv sshd[29527]: Invalid user oracle from > :::211.219.166.235 > Jul 10 07:48:52 srv sshd[29525]: Invalid user bind from > :::211.219.166.235 > Jul 10 07:48:38 srv sshd[25080]: Invalid user oracle from 211.219.166.235 > Jul 10 07:48:28 srv sshd[25074]: Invalid user sami from 211.219.166.235 > Jul 10 07:48:10 srv sshd[29499]: Invalid user oracle from > :::211.219.166.235 > > --END OF NOTIFICATION > OSSEC HIDS Notification. > 2009 Jul 10 07:51:45 > > Received From: (jedrzejow) yyy.yyy.yyy.yyy->/var/log/secure > Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the > system." > Portion of the log(s): > > Jul 10 07:51:43 srv sshd[29640]: Invalid user nagios from > :::211.219.166.235 > Jul 10 07:51:40 srv sshd[29638]: Invalid user nagios from > :::211.219.166.235 > Jul 10 07:51:37 srv sshd[29636]: Invalid user nagios from > :::211.219.166.235 > Jul 10 07:51:34 srv sshd[29634]: Invalid user nagios from > :::211.219.166.235 > Jul 10 07:51:02 srv sshd[29614]: Invalid user test from > :::211.219.166.235 > Jul 10 07:50:40 srv sshd[29600]: Invalid user mythtv from > :::211.219.166.235 > Jul 10 07:50:25 srv sshd[29590]: Invalid user cgi-bin from > :::211.219.166.235 > > --END OF NOTIFICATION > > 8<-- EOT > > This 2 host are blocked for 10 minutes and my logs are shorter. :) > > -- > Pozdrawiam / Regards, > Aleksander Podsiadły > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] vchkpw-smtp attack
W dniu 09.07.2009 23:28, nightduke pisze: i don't understand, can you explain? Thanks 2009/7/9 Aleksander Podsiadly: W dniu 07.07.2009 00:36, Jake Vickers pisze: *Those* types of attacks can be handled with fail2ban. And with ossec-hids. -- Pozdrawiam / Regards, Aleksander Podsiadły - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com OSSEC is intrusion detection system. It performs log log analysis, for example maillog. It can alert you and allows automaticaly execute commands when a specific event is triggered. It's scalable, you can write your own rules. Project site: http://www.ossec.net/ Real examples, 2 alerts when when I was writing this post: 8<-- OSSEC HIDS Notification. 2009 Jul 10 07:49:10 Received From: (opatow) xxx.xxx.xxx.xxx->/var/log/secure Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Portion of the log(s): Jul 10 07:49:21 srv sshd[25153]: Invalid user oracle from 211.219.166.235 Jul 10 07:49:18 srv sshd[25151]: Invalid user bind from 211.219.166.235 Jul 10 07:48:55 srv sshd[29527]: Invalid user oracle from :::211.219.166.235 Jul 10 07:48:52 srv sshd[29525]: Invalid user bind from :::211.219.166.235 Jul 10 07:48:38 srv sshd[25080]: Invalid user oracle from 211.219.166.235 Jul 10 07:48:28 srv sshd[25074]: Invalid user sami from 211.219.166.235 Jul 10 07:48:10 srv sshd[29499]: Invalid user oracle from :::211.219.166.235 --END OF NOTIFICATION OSSEC HIDS Notification. 2009 Jul 10 07:51:45 Received From: (jedrzejow) yyy.yyy.yyy.yyy->/var/log/secure Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Portion of the log(s): Jul 10 07:51:43 srv sshd[29640]: Invalid user nagios from :::211.219.166.235 Jul 10 07:51:40 srv sshd[29638]: Invalid user nagios from :::211.219.166.235 Jul 10 07:51:37 srv sshd[29636]: Invalid user nagios from :::211.219.166.235 Jul 10 07:51:34 srv sshd[29634]: Invalid user nagios from :::211.219.166.235 Jul 10 07:51:02 srv sshd[29614]: Invalid user test from :::211.219.166.235 Jul 10 07:50:40 srv sshd[29600]: Invalid user mythtv from :::211.219.166.235 Jul 10 07:50:25 srv sshd[29590]: Invalid user cgi-bin from :::211.219.166.235 --END OF NOTIFICATION 8<-- EOT This 2 host are blocked for 10 minutes and my logs are shorter. :) -- Pozdrawiam / Regards, Aleksander Podsiadły
Re: [qmailtoaster] vchkpw-smtp attack
i don't understand, can you explain? Thanks 2009/7/9 Aleksander Podsiadly : > W dniu 07.07.2009 00:36, Jake Vickers pisze: >> >> *Those* types of attacks can be handled with fail2ban. > > And with ossec-hids. > > -- > Pozdrawiam / Regards, > Aleksander Podsiadły > > > - > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > - > Please visit qmailtoaster.com for the latest news, updates, and packages. > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] vchkpw-smtp attack
W dniu 07.07.2009 00:36, Jake Vickers pisze: *Those* types of attacks can be handled with fail2ban. And with ossec-hids. -- Pozdrawiam / Regards, Aleksander Podsiadły - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] vchkpw-smtp attack
fail2ban can be used with qmail? Thanks anyway. 2009/7/7 Jake Vickers : > nightduke wrote: >> >> Jul 6 14:37:09 vps vpopmail[19826]: vchkpw-smtp: vpopmail user not >> found webmas >> ter@:58.63.151.44 >> >> > > *Those* types of attacks can be handled with fail2ban. > > > - > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > - > Please visit qmailtoaster.com for the latest news, updates, and packages. > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] vchkpw-smtp attack
That seems to be an attack, it's my opinion. 2009/7/7 nightduke : > Jul 6 14:37:09 vps vpopmail[19826]: vchkpw-smtp: vpopmail user not > found webmas > ter@:58.63.151.44 > > > 2009/7/7 Jake Vickers : >> nightduke wrote: >>> >>> Jul 6 14:42:14 vps vpopmail[28104]: vchkpw-smtp: invalid user/domain >>> characters dÇ:58.63.151.44 >>> >>> Hi at my server i saw at the log a few attemps of deliver email. >>> >>> Anyone know a way to block this kind of attack? >>> >>> Thanks >>> >> >> Yes, fail2ban. >> We've talked about it on the list previously. You're getting invalid >> characters, which are not the same thing as an "attack". >> >> >> >> - >> Qmailtoaster is sponsored by Vickers Consulting Group >> (www.vickersconsulting.com) >> Vickers Consulting Group offers Qmailtoaster support and installations. >> If you need professional help with your setup, contact them today! >> - >> Please visit qmailtoaster.com for the latest news, updates, and packages. >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> >> >> > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] vchkpw-smtp attack
nightduke wrote: Jul 6 14:37:09 vps vpopmail[19826]: vchkpw-smtp: vpopmail user not found webmas ter@:58.63.151.44 *Those* types of attacks can be handled with fail2ban. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] vchkpw-smtp attack
Jul 6 14:37:09 vps vpopmail[19826]: vchkpw-smtp: vpopmail user not found webmas ter@:58.63.151.44 2009/7/7 Jake Vickers : > nightduke wrote: >> >> Jul 6 14:42:14 vps vpopmail[28104]: vchkpw-smtp: invalid user/domain >> characters dÇ:58.63.151.44 >> >> Hi at my server i saw at the log a few attemps of deliver email. >> >> Anyone know a way to block this kind of attack? >> >> Thanks >> > > Yes, fail2ban. > We've talked about it on the list previously. You're getting invalid > characters, which are not the same thing as an "attack". > > > > - > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > - > Please visit qmailtoaster.com for the latest news, updates, and packages. > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] vchkpw-smtp attack
nightduke wrote: Jul 6 14:42:14 vps vpopmail[28104]: vchkpw-smtp: invalid user/domain characters dÇ:58.63.151.44 Hi at my server i saw at the log a few attemps of deliver email. Anyone know a way to block this kind of attack? Thanks Yes, fail2ban. We've talked about it on the list previously. You're getting invalid characters, which are not the same thing as an "attack". - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] vchkpw-smtp attack
Jul 6 14:42:14 vps vpopmail[28104]: vchkpw-smtp: invalid user/domain characters dÇ:58.63.151.44 Hi at my server i saw at the log a few attemps of deliver email. Anyone know a way to block this kind of attack? Thanks - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com