Re: [qmailtoaster] vchkpw-smtp attack

2009-07-19 Thread Aleksander Podsiadly

W dniu 19.07.2009 21:58, nightduke pisze:

Nice tool. I will use it.

Thanks
   
Than look at open bugs #219 and #220, there are my 2 proposed patches 
for proper interpreting Apache log and vpopmail.

http://www.ossec.net/bugs/

On http://www.ossec.net/wiki/index.php/SquirrelMail are my rules for 
SquirrelMail.


Below example of vchkpw-smtp attack, aggressor detected and blocked. :)
8<--

Received From: srv->/var/log/maillog
Rule: 9952 fired (level 10) ->  "VPOPMAIL brute force (email harvesting)."
Portion of the log(s):

Jul 15 09:43:42 srv vpopmail[24889]: vchkpw-smtp: vpopmail user not 
foundwebmaster@:121.33.123.239
Jul 15 09:43:33 srv vpopmail[24876]: vchkpw-smtp: vpopmail user not 
foundwebmaster@:121.33.123.239
Jul 15 09:43:23 srv vpopmail[24863]: vchkpw-smtp: vpopmail user not 
foundwebmaster@:121.33.123.239
Jul 15 09:43:15 srv vpopmail[24854]: vchkpw-smtp: vpopmail user not 
foundwebmaster@:121.33.123.239
Jul 15 09:43:07 srv vpopmail[24845]: vchkpw-smtp: vpopmail user not 
foundwebmaster@:121.33.123.239
Jul 15 09:43:00 srv vpopmail[24838]: vchkpw-smtp: vpopmail user not 
foundwebmaster@:121.33.123.239
Jul 15 09:42:53 srv vpopmail[24831]: vchkpw-smtp: vpopmail user not 
foundwebmaster@:121.33.123.239
Jul 15 09:42:47 srv vpopmail[24824]: vchkpw-smtp: vpopmail user not 
foundwebmaster@:121.33.123.239
Jul 15 09:42:39 srv vpopmail[24815]: vchkpw-smtp: vpopmail user not 
foundwebmaster@:121.33.123.239

8<-- EOT



--
Pozdrawiam / Regards,
Aleksander Podsiadły


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] vchkpw-smtp attack

2009-07-19 Thread nightduke
Nice tool. I will use it.

Thanks



2009/7/10 Aleksander Podsiadly :
> W dniu 09.07.2009 23:28, nightduke pisze:
>
> i don't understand, can you explain?
>
> Thanks
>
>
> 2009/7/9 Aleksander Podsiadly :
>
>
> W dniu 07.07.2009 00:36, Jake Vickers pisze:
>
>
> *Those* types of attacks can be handled with fail2ban.
>
>
> And with ossec-hids.
>
> --
> Pozdrawiam / Regards,
> Aleksander Podsiadły
>
>
> -
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
>   Vickers Consulting Group offers Qmailtoaster support and installations.
>     If you need professional help with your setup, contact them today!
> -
>    Please visit qmailtoaster.com for the latest news, updates, and packages.
>         To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
>    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>
>
>
>
> -
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
> Vickers Consulting Group offers Qmailtoaster support and installations.
>   If you need professional help with your setup, contact them today!
> -
>  Please visit qmailtoaster.com for the latest news, updates, and
> packages.
>
>   To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>  For additional commands, e-mail:
> qmailtoaster-list-h...@qmailtoaster.com
>
>
>
>
>
>
> OSSEC is intrusion detection system. It performs log log analysis, for
> example maillog. It can alert you and allows automaticaly execute commands
> when a specific event is triggered. It's scalable, you can write your own
> rules.
> Project site: http://www.ossec.net/
>
> Real examples, 2 alerts when when I was writing this post:
> 8<--
>
> OSSEC HIDS Notification.
> 2009 Jul 10 07:49:10
>
> Received From: (opatow) xxx.xxx.xxx.xxx->/var/log/secure
>
> Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the
> system."
> Portion of the log(s):
>
> Jul 10 07:49:21 srv sshd[25153]: Invalid user oracle from 211.219.166.235
> Jul 10 07:49:18 srv sshd[25151]: Invalid user bind from 211.219.166.235
> Jul 10 07:48:55 srv sshd[29527]: Invalid user oracle from
> :::211.219.166.235
> Jul 10 07:48:52 srv sshd[29525]: Invalid user bind from
> :::211.219.166.235
> Jul 10 07:48:38 srv sshd[25080]: Invalid user oracle from 211.219.166.235
> Jul 10 07:48:28 srv sshd[25074]: Invalid user sami from 211.219.166.235
> Jul 10 07:48:10 srv sshd[29499]: Invalid user oracle from
> :::211.219.166.235
>
>  --END OF NOTIFICATION
> OSSEC HIDS Notification.
> 2009 Jul 10 07:51:45
>
> Received From: (jedrzejow) yyy.yyy.yyy.yyy->/var/log/secure
> Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the
> system."
> Portion of the log(s):
>
> Jul 10 07:51:43 srv sshd[29640]: Invalid user nagios from
> :::211.219.166.235
> Jul 10 07:51:40 srv sshd[29638]: Invalid user nagios from
> :::211.219.166.235
> Jul 10 07:51:37 srv sshd[29636]: Invalid user nagios from
> :::211.219.166.235
> Jul 10 07:51:34 srv sshd[29634]: Invalid user nagios from
> :::211.219.166.235
> Jul 10 07:51:02 srv sshd[29614]: Invalid user test from
> :::211.219.166.235
> Jul 10 07:50:40 srv sshd[29600]: Invalid user mythtv from
> :::211.219.166.235
> Jul 10 07:50:25 srv sshd[29590]: Invalid user cgi-bin from
> :::211.219.166.235
>
>  --END OF NOTIFICATION
>
> 8<-- EOT
>
> This 2 host are blocked for 10 minutes and my logs are shorter. :)
>
> --
> Pozdrawiam / Regards,
> Aleksander Podsiadły
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] vchkpw-smtp attack

2009-07-09 Thread Aleksander Podsiadly

W dniu 09.07.2009 23:28, nightduke pisze:

i don't understand, can you explain?

Thanks


2009/7/9 Aleksander Podsiadly:
   

W dniu 07.07.2009 00:36, Jake Vickers pisze:
 

*Those* types of attacks can be handled with fail2ban.
   

And with ossec-hids.

--
Pozdrawiam / Regards,
Aleksander Podsiadły


-
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.
 To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



 


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
 Vickers Consulting Group offers Qmailtoaster support and installations.
   If you need professional help with your setup, contact them today!
-
  Please visit qmailtoaster.com for the latest news, updates, and packages.

   To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




   
OSSEC is intrusion detection system. It performs log log analysis, for 
example maillog. It can alert you and allows automaticaly execute 
commands when a specific event is triggered. It's scalable, you can 
write your own rules.

Project site: http://www.ossec.net/

Real examples, 2 alerts when when I was writing this post:
8<--

OSSEC HIDS Notification.
2009 Jul 10 07:49:10

Received From: (opatow) xxx.xxx.xxx.xxx->/var/log/secure


Rule: 5712 fired (level 10) ->  "SSHD brute force trying to get access to the 
system."
Portion of the log(s):

Jul 10 07:49:21 srv sshd[25153]: Invalid user oracle from 211.219.166.235
Jul 10 07:49:18 srv sshd[25151]: Invalid user bind from 211.219.166.235
Jul 10 07:48:55 srv sshd[29527]: Invalid user oracle from :::211.219.166.235
Jul 10 07:48:52 srv sshd[29525]: Invalid user bind from :::211.219.166.235
Jul 10 07:48:38 srv sshd[25080]: Invalid user oracle from 211.219.166.235
Jul 10 07:48:28 srv sshd[25074]: Invalid user sami from 211.219.166.235
Jul 10 07:48:10 srv sshd[29499]: Invalid user oracle from :::211.219.166.235

 --END OF NOTIFICATION
OSSEC HIDS Notification.
2009 Jul 10 07:51:45

Received From: (jedrzejow) yyy.yyy.yyy.yyy->/var/log/secure
Rule: 5712 fired (level 10) ->  "SSHD brute force trying to get access to the 
system."
Portion of the log(s):

Jul 10 07:51:43 srv sshd[29640]: Invalid user nagios from :::211.219.166.235
Jul 10 07:51:40 srv sshd[29638]: Invalid user nagios from :::211.219.166.235
Jul 10 07:51:37 srv sshd[29636]: Invalid user nagios from :::211.219.166.235
Jul 10 07:51:34 srv sshd[29634]: Invalid user nagios from :::211.219.166.235
Jul 10 07:51:02 srv sshd[29614]: Invalid user test from :::211.219.166.235
Jul 10 07:50:40 srv sshd[29600]: Invalid user mythtv from :::211.219.166.235
Jul 10 07:50:25 srv sshd[29590]: Invalid user cgi-bin from 
:::211.219.166.235

 --END OF NOTIFICATION

8<-- EOT

This 2 host are blocked for 10 minutes and my logs are shorter. :)

--
Pozdrawiam / Regards,
Aleksander Podsiadły



Re: [qmailtoaster] vchkpw-smtp attack

2009-07-09 Thread nightduke
i don't understand, can you explain?

Thanks


2009/7/9 Aleksander Podsiadly :
> W dniu 07.07.2009 00:36, Jake Vickers pisze:
>>
>> *Those* types of attacks can be handled with fail2ban.
>
> And with ossec-hids.
>
> --
> Pozdrawiam / Regards,
> Aleksander Podsiadły
>
>
> -
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
>   Vickers Consulting Group offers Qmailtoaster support and installations.
>     If you need professional help with your setup, contact them today!
> -
>    Please visit qmailtoaster.com for the latest news, updates, and packages.
>         To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
>    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] vchkpw-smtp attack

2009-07-09 Thread Aleksander Podsiadly

W dniu 07.07.2009 00:36, Jake Vickers pisze:


*Those* types of attacks can be handled with fail2ban.

And with ossec-hids.

--
Pozdrawiam / Regards,
Aleksander Podsiadły


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] vchkpw-smtp attack

2009-07-06 Thread nightduke
fail2ban can be used with qmail?
Thanks anyway.



2009/7/7 Jake Vickers :
> nightduke wrote:
>>
>> Jul  6 14:37:09 vps vpopmail[19826]: vchkpw-smtp: vpopmail user not
>> found webmas
>> ter@:58.63.151.44
>>
>>
>
> *Those* types of attacks can be handled with fail2ban.
>
>
> -
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
>   Vickers Consulting Group offers Qmailtoaster support and installations.
>     If you need professional help with your setup, contact them today!
> -
>    Please visit qmailtoaster.com for the latest news, updates, and packages.
>         To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
>    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] vchkpw-smtp attack

2009-07-06 Thread nightduke
That seems to be an attack, it's my opinion.

2009/7/7 nightduke :
> Jul  6 14:37:09 vps vpopmail[19826]: vchkpw-smtp: vpopmail user not
> found webmas
> ter@:58.63.151.44
>
>
> 2009/7/7 Jake Vickers :
>> nightduke wrote:
>>>
>>> Jul  6 14:42:14 vps vpopmail[28104]: vchkpw-smtp: invalid user/domain
>>> characters dÇ:58.63.151.44
>>>
>>> Hi at my server i saw at the log a few attemps of deliver email.
>>>
>>> Anyone know a way to block this kind of attack?
>>>
>>> Thanks
>>>
>>
>> Yes, fail2ban.
>> We've talked about it on the list previously. You're getting invalid
>> characters, which are not the same thing as an "attack".
>>
>>
>>
>> -
>> Qmailtoaster is sponsored by Vickers Consulting Group
>> (www.vickersconsulting.com)
>>   Vickers Consulting Group offers Qmailtoaster support and installations.
>>     If you need professional help with your setup, contact them today!
>> -
>>    Please visit qmailtoaster.com for the latest news, updates, and packages.
>>         To unsubscribe, e-mail:
>> qmailtoaster-list-unsubscr...@qmailtoaster.com
>>    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>>
>>
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] vchkpw-smtp attack

2009-07-06 Thread Jake Vickers

nightduke wrote:

Jul  6 14:37:09 vps vpopmail[19826]: vchkpw-smtp: vpopmail user not
found webmas
ter@:58.63.151.44

  


*Those* types of attacks can be handled with fail2ban.


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] vchkpw-smtp attack

2009-07-06 Thread nightduke
Jul  6 14:37:09 vps vpopmail[19826]: vchkpw-smtp: vpopmail user not
found webmas
ter@:58.63.151.44


2009/7/7 Jake Vickers :
> nightduke wrote:
>>
>> Jul  6 14:42:14 vps vpopmail[28104]: vchkpw-smtp: invalid user/domain
>> characters dÇ:58.63.151.44
>>
>> Hi at my server i saw at the log a few attemps of deliver email.
>>
>> Anyone know a way to block this kind of attack?
>>
>> Thanks
>>
>
> Yes, fail2ban.
> We've talked about it on the list previously. You're getting invalid
> characters, which are not the same thing as an "attack".
>
>
>
> -
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
>   Vickers Consulting Group offers Qmailtoaster support and installations.
>     If you need professional help with your setup, contact them today!
> -
>    Please visit qmailtoaster.com for the latest news, updates, and packages.
>         To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
>    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>
>

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




Re: [qmailtoaster] vchkpw-smtp attack

2009-07-06 Thread Jake Vickers

nightduke wrote:

Jul  6 14:42:14 vps vpopmail[28104]: vchkpw-smtp: invalid user/domain
characters dÇ:58.63.151.44

Hi at my server i saw at the log a few attemps of deliver email.

Anyone know a way to block this kind of attack?

Thanks
  


Yes, fail2ban.
We've talked about it on the list previously. You're getting invalid 
characters, which are not the same thing as an "attack".




-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




[qmailtoaster] vchkpw-smtp attack

2009-07-06 Thread nightduke
Jul  6 14:42:14 vps vpopmail[28104]: vchkpw-smtp: invalid user/domain
characters dÇ:58.63.151.44

Hi at my server i saw at the log a few attemps of deliver email.

Anyone know a way to block this kind of attack?

Thanks

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com