Re: [qmailtoaster] Unwanted Login Attempts

[george]

So you have this running monitoring the vpopmail service?  ACZoom
indicates this can be done (in a generic fashion), but I did not see any
how-to on implementing it.  Can you share how you did it?

Regards,

George



> Google is your friend:
>
> http://freshmeat.net/projects/blockhosts/
>
> http://www.aczoom.com/cms/blockhosts
>
> http://brneurosci.org/linuxsetup79.html
>
> http://www.aczoom.com/tools/blockhosts/
>
> I was skeptical at first, but it's doing a great job on my end.
>
> Harry
>
>
> On Aug 8, 2007, at 5:00 PM, George Toft wrote:
>
>> Please provide more information.
>>
>> George Toft, CISSP, MSIS
>> 623-203-1760
>>
>>
>>
>>
>> Harry Zink wrote:
>>> Install BlockHosts - it takes care of these kind of hack attempts
>>> really fast.
>>> Harry
>>> On Aug 7, 2007, at 6:04 PM, George Toft wrote:
 If you offer POP service to the Internet, this is going to happen.

 You could add an iptables rule to block everyone, except the IP
 address of users on your system, but if their IP address changes,
 you get a trouble ticket from a user who can't get their mail.
 You will spend lots of time chasing your own users.  Not fun.

 Make sure your system is patched and built using the QMT
 scripts.  The firewall is very good.  I run yum update weekly to
 keep it up to date.

 What I do when this happens is look in /var/log/maillog for the
 IP address of the offender.  Then run whois  to get the
 ISP of the offender.  If it is in the US/Canada, I fire off an e-
 mail with the logs (/var/log/maillog) to the abuse address and I
 use the key words "brute force attack on our mail server" and
 "please address this AUP violation with your subscriber."  If the
 attack is from China, I don't even waste my time.

 When I was at a web hosting company, we took these complaints
 seriously.  Maybe it works, maybe not.  I've never had a repeat
 attack.

 I did have a BF attack from Argentina that went on for hours.  I
 e-mailed the ISP and it stopped about 15 minutes later.

 George Toft, CISSP, MSIS
 623-203-1760




 Francisco Paco Peralta wrote:

> Hello list,
> I am looking for a way to minimize the rogue attempts to login
> to my system.  Any suggestions are welcome.
> I get a logwatch report every morning and have been getting the
> results.  While it doesn't happen every day I would like to
> minimize my exposure. See Below:
> - vpopmail Begin 
> No Such User Found:
> *@ - 1 Time(s)
> 0246@ - 1 Time(s)
> 12345678@ - 1 Time(s)
> 123456@ - 1 Time(s)
> 1234@ - 1 Time(s)
> 123@ - 1 Time(s)
> 123abc@ - 1 Time(s)
> 1q2w3e@ - 1 Time(s)
> a1b2c3@ - 1 Time(s)
> abc123@ - 1 Time(s)
> amanda@ - 1 Time(s)
> andrew@ - 1 Time(s)
> apple@ - 1 Time(s)
> asshole@ - 1 Time(s)
> bandit@ - 1 Time(s)
> baseball@ - 1 Time(s)
> beavis@ - 1 Time(s)
> buster@ - 1 Time(s)
> chris@ - 1 Time(s)
> computer@ - 1 Time(s)
> cowboys@ - 1 Time(s)
> dakota@ - 1 Time(s)
> dallas@ - 1 Time(s)
> daniel@ - 1 Time(s)
> david@ - 1 Time(s)
> diamond@ - 1 Time(s)
> dragon@ - 1 Time(s)
> falcon@ - 1 Time(s)
> fiction@ - 1 Time(s)
> foobar@ - 1 Time(s)
> fred@ - 1 Time(s)
> friends@ - 1 Time(s)
> george@ - 1 Time(s)
> harley@ - 1 Time(s)
> hatton@ - 1 Time(s)
> hello@ - 1 Time(s)
> hockey@ - 1 Time(s)
> internet@ - 2 Time(s)
> jennifer@ - 1 Time(s)
> jessica@ - 1 Time(s)
> jordan@ - 2 Time(s)
> joshua@ - 1 Time(s)
> justin@ - 1 Time(s)
> maddock@ - 1 Time(s)
> maggie@ - 1 Time(s)
> michael@ - 1 Time(s)
> michelle@ - 1 Time(s)
> mickey@ - 2 Time(s)
> mike@ - 1 Time(s)
> monday@ - 1 Time(s)
> money@ - 1 Time(s)
> monkey@ - 1 Time(s)
> mustang@ - 1 Time(s)
> newpass@ - 1 Time(s)
> newuser@ - 1 Time(s)
> nicole@ - 1 Time(s)
> notused@ - 1 Time(s)
> orange@ - 1 Time(s)
> pascal@ - 1 Time(s)
> passwd@ - 1 Time(s)
> password@ - 1 Time(s)
> patrick@ - 1 Time(s)
> pepper@ - 1 Time(s)
> purple@ - 1 Time(s)
> qwerty@ - 2 Time(s)
> richard@ - 1 Time(s)
> robert@ - 1 Time(s)
> school@ - 1 Time(s)
> sendit@ - 1 Time(s)
> shadow@ - 1 Time(s)
> silver@ - 1 Time(s)
> smokey@ - 1 Time(s)
> snoopy@ - 1 Time(s)
> soccer@ - 1 Time(s)
> sports@ - 1 Time(s)
> stupid@ - 1 Time(s)
> summer@ - 2 Time(s)
> sunshine@ - 1 Time(s)
> test@ - 1 Time(s)
> thomas@ - 1 Time(s)
> undead@ - 1 Time(s)
> vikings@ - 1 Time(s)
> wheeling@ - 1 Time(s)
> **Unmatched Entries**
> vchkpw-smtp: invalid user/domain characters "null":xxx.xxx.xxx.xxx
> vchkpw-smtp: invalid user/domain characters [EMAIL 
> PROTECTED]:xxx.xxx.xxx.xxx
> -- vpo

Re: [qmailtoaster] Unwanted Login Attempts

[Harry Zink]

Google is your friend:

http://freshmeat.net/projects/blockhosts/

http://www.aczoom.com/cms/blockhosts

http://brneurosci.org/linuxsetup79.html

http://www.aczoom.com/tools/blockhosts/

I was skeptical at first, but it's doing a great job on my end.

Harry


On Aug 8, 2007, at 5:00 PM, George Toft wrote:


Please provide more information.

George Toft, CISSP, MSIS
623-203-1760




Harry Zink wrote:
Install BlockHosts - it takes care of these kind of hack attempts  
really fast.

Harry
On Aug 7, 2007, at 6:04 PM, George Toft wrote:

If you offer POP service to the Internet, this is going to happen.

You could add an iptables rule to block everyone, except the IP  
address of users on your system, but if their IP address changes,  
you get a trouble ticket from a user who can't get their mail.   
You will spend lots of time chasing your own users.  Not fun.


Make sure your system is patched and built using the QMT  
scripts.  The firewall is very good.  I run yum update weekly to  
keep it up to date.


What I do when this happens is look in /var/log/maillog for the  
IP address of the offender.  Then run whois  to get the  
ISP of the offender.  If it is in the US/Canada, I fire off an e- 
mail with the logs (/var/log/maillog) to the abuse address and I  
use the key words "brute force attack on our mail server" and  
"please address this AUP violation with your subscriber."  If the  
attack is from China, I don't even waste my time.


When I was at a web hosting company, we took these complaints  
seriously.  Maybe it works, maybe not.  I've never had a repeat  
attack.


I did have a BF attack from Argentina that went on for hours.  I  
e-mailed the ISP and it stopped about 15 minutes later.


George Toft, CISSP, MSIS
623-203-1760




Francisco Paco Peralta wrote:


Hello list,
I am looking for a way to minimize the rogue attempts to login  
to my system.  Any suggestions are welcome.
I get a logwatch report every morning and have been getting the  
results.  While it doesn't happen every day I would like to  
minimize my exposure. See Below:

- vpopmail Begin 
No Such User Found:
*@ - 1 Time(s)
0246@ - 1 Time(s)
12345678@ - 1 Time(s)
123456@ - 1 Time(s)
1234@ - 1 Time(s)
123@ - 1 Time(s)
123abc@ - 1 Time(s)
1q2w3e@ - 1 Time(s)
a1b2c3@ - 1 Time(s)
abc123@ - 1 Time(s)
amanda@ - 1 Time(s)
andrew@ - 1 Time(s)
apple@ - 1 Time(s)
asshole@ - 1 Time(s)
bandit@ - 1 Time(s)
baseball@ - 1 Time(s)
beavis@ - 1 Time(s)
buster@ - 1 Time(s)
chris@ - 1 Time(s)
computer@ - 1 Time(s)
cowboys@ - 1 Time(s)
dakota@ - 1 Time(s)
dallas@ - 1 Time(s)
daniel@ - 1 Time(s)
david@ - 1 Time(s)
diamond@ - 1 Time(s)
dragon@ - 1 Time(s)
falcon@ - 1 Time(s)
fiction@ - 1 Time(s)
foobar@ - 1 Time(s)
fred@ - 1 Time(s)
friends@ - 1 Time(s)
george@ - 1 Time(s)
harley@ - 1 Time(s)
hatton@ - 1 Time(s)
hello@ - 1 Time(s)
hockey@ - 1 Time(s)
internet@ - 2 Time(s)
jennifer@ - 1 Time(s)
jessica@ - 1 Time(s)
jordan@ - 2 Time(s)
joshua@ - 1 Time(s)
justin@ - 1 Time(s)
maddock@ - 1 Time(s)
maggie@ - 1 Time(s)
michael@ - 1 Time(s)
michelle@ - 1 Time(s)
mickey@ - 2 Time(s)
mike@ - 1 Time(s)
monday@ - 1 Time(s)
money@ - 1 Time(s)
monkey@ - 1 Time(s)
mustang@ - 1 Time(s)
newpass@ - 1 Time(s)
newuser@ - 1 Time(s)
nicole@ - 1 Time(s)
notused@ - 1 Time(s)
orange@ - 1 Time(s)
pascal@ - 1 Time(s)
passwd@ - 1 Time(s)
password@ - 1 Time(s)
patrick@ - 1 Time(s)
pepper@ - 1 Time(s)
purple@ - 1 Time(s)
qwerty@ - 2 Time(s)
richard@ - 1 Time(s)
robert@ - 1 Time(s)
school@ - 1 Time(s)
sendit@ - 1 Time(s)
shadow@ - 1 Time(s)
silver@ - 1 Time(s)
smokey@ - 1 Time(s)
snoopy@ - 1 Time(s)
soccer@ - 1 Time(s)
sports@ - 1 Time(s)
stupid@ - 1 Time(s)
summer@ - 2 Time(s)
sunshine@ - 1 Time(s)
test@ - 1 Time(s)
thomas@ - 1 Time(s)
undead@ - 1 Time(s)
vikings@ - 1 Time(s)
wheeling@ - 1 Time(s)
**Unmatched Entries**
vchkpw-smtp: invalid user/domain characters "null":xxx.xxx.xxx.xxx
vchkpw-smtp: invalid user/domain characters [EMAIL PROTECTED]:xxx.xxx.xxx.xxx
-- vpopmail End -
 Francisco "Paco" Peralta



 
-

QmailToaster hosted by: VR Hosted 
 
-
To unsubscribe, e-mail: qmailtoaster-list- 
[EMAIL PROTECTED] 
For additional commands, e-mail: qmailtoaster-list- 
[EMAIL PROTECTED] 



---
*/Andrew Young/*
/"Remember your biggest obstacle to success is the absence of  
execution."// /


-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: qmailtoaster-list- 
[EMAIL PROTECTED]




---
George E. Nichols
"The universal aptitude for inep

Re: [qmailtoaster] Unwanted Login Attempts

[Kyle Quillen]

Found this...


http://www.aczoom.com/cms/faq/blockhosts#q_293



On 8/8/07, Kyle Quillen <[EMAIL PROTECTED]> wrote:
>
> Yes please do provide more info.
>
> Thanks
> Q
>
>
> -Original Message-
> From: George Toft [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 08, 2007 8:00 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] Unwanted Login Attempts
>
> Please provide more information.
>
> George Toft, CISSP, MSIS
> 623-203-1760
>
>
>
>
> Harry Zink wrote:
> > Install BlockHosts - it takes care of these kind of hack attempts really
> > fast.
> >
> > Harry
> >
> >
> > On Aug 7, 2007, at 6:04 PM, George Toft wrote:
> >
> >> If you offer POP service to the Internet, this is going to happen.
> >>
> >> You could add an iptables rule to block everyone, except the IP
> >> address of users on your system, but if their IP address changes, you
> >> get a trouble ticket from a user who can't get their mail.  You will
> >> spend lots of time chasing your own users.  Not fun.
> >>
> >> Make sure your system is patched and built using the QMT scripts.  The
> >> firewall is very good.  I run yum update weekly to keep it up to date.
> >>
> >> What I do when this happens is look in /var/log/maillog for the IP
> >> address of the offender.  Then run whois  to get the ISP of
> >> the offender.  If it is in the US/Canada, I fire off an e-mail with
> >> the logs (/var/log/maillog) to the abuse address and I use the key
> >> words "brute force attack on our mail server" and "please address this
> >> AUP violation with your subscriber."  If the attack is from China, I
> >> don't even waste my time.
> >>
> >> When I was at a web hosting company, we took these complaints
> >> seriously.  Maybe it works, maybe not.  I've never had a repeat attack.
> >>
> >> I did have a BF attack from Argentina that went on for hours.  I
> >> e-mailed the ISP and it stopped about 15 minutes later.
> >>
> >> George Toft, CISSP, MSIS
> >> 623-203-1760
> >>
> >>
> >>
> >>
> >> Francisco Paco Peralta wrote:
> >>
> >>> Hello list,
> >>> I am looking for a way to minimize the rogue attempts to login to my
> >>> system.  Any suggestions are welcome.
> >>> I get a logwatch report every morning and have been getting the
> >>> results.  While it doesn't happen every day I would like to minimize
> >>> my exposure. See Below:
> >>> - vpopmail Begin 
> >>> No Such User Found:
> >>> *@ - 1 Time(s)
> >>> 0246@ - 1 Time(s)
> >>> 12345678@ - 1 Time(s)
> >>> 123456@ - 1 Time(s)
> >>> 1234@ - 1 Time(s)
> >>> 123@ - 1 Time(s)
> >>> 123abc@ - 1 Time(s)
> >>> 1q2w3e@ - 1 Time(s)
> >>> a1b2c3@ - 1 Time(s)
> >>> abc123@ - 1 Time(s)
> >>> amanda@ - 1 Time(s)
> >>> andrew@ - 1 Time(s)
> >>> apple@ - 1 Time(s)
> >>> asshole@ - 1 Time(s)
> >>> bandit@ - 1 Time(s)
> >>> baseball@ - 1 Time(s)
> >>> beavis@ - 1 Time(s)
> >>> buster@ - 1 Time(s)
> >>> chris@ - 1 Time(s)
> >>> computer@ - 1 Time(s)
> >>> cowboys@ - 1 Time(s)
> >>> dakota@ - 1 Time(s)
> >>> dallas@ - 1 Time(s)
> >>> daniel@ - 1 Time(s)
> >>> david@ - 1 Time(s)
> >>> diamond@ - 1 Time(s)
> >>> dragon@ - 1 Time(s)
> >>> falcon@ - 1 Time(s)
> >>> fiction@ - 1 Time(s)
> >>> foobar@ - 1 Time(s)
> >>> fred@ - 1 Time(s)
> >>> friends@ - 1 Time(s)
> >>> george@ - 1 Time(s)
> >>> harley@ - 1 Time(s)
> >>> hatton@ - 1 Time(s)
> >>> hello@ - 1 Time(s)
> >>> hockey@ - 1 Time(s)
> >>> internet@ - 2 Time(s)
> >>> jennifer@ - 1 Time(s)
> >>> jessica@ - 1 Time(s)
> >>> jordan@ - 2 Time(s)
> >>> joshua@ - 1 Time(s)
> >>> justin@ - 1 Time(s)
> >>> maddock@ - 1 Time(s)
> >>> maggie@ - 1 Time(s)
> >>> michael@ - 1 Time(s)
> >>> michelle@ - 1 Time(s)
> >>> mickey@ - 2 Time(s)
> >>> mike@ - 1 Time(s)
> >>> monday@ - 1 Time(s)
> >>&g

RE: [qmailtoaster] Unwanted Login Attempts

[Kyle Quillen]

Yes please do provide more info.

Thanks
Q


-Original Message-
From: George Toft [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 08, 2007 8:00 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Unwanted Login Attempts

Please provide more information.

George Toft, CISSP, MSIS
623-203-1760




Harry Zink wrote:
> Install BlockHosts - it takes care of these kind of hack attempts really 
> fast.
> 
> Harry
> 
> 
> On Aug 7, 2007, at 6:04 PM, George Toft wrote:
> 
>> If you offer POP service to the Internet, this is going to happen.
>>
>> You could add an iptables rule to block everyone, except the IP 
>> address of users on your system, but if their IP address changes, you 
>> get a trouble ticket from a user who can't get their mail.  You will 
>> spend lots of time chasing your own users.  Not fun.
>>
>> Make sure your system is patched and built using the QMT scripts.  The 
>> firewall is very good.  I run yum update weekly to keep it up to date.
>>
>> What I do when this happens is look in /var/log/maillog for the IP 
>> address of the offender.  Then run whois  to get the ISP of 
>> the offender.  If it is in the US/Canada, I fire off an e-mail with 
>> the logs (/var/log/maillog) to the abuse address and I use the key 
>> words "brute force attack on our mail server" and "please address this 
>> AUP violation with your subscriber."  If the attack is from China, I 
>> don't even waste my time.
>>
>> When I was at a web hosting company, we took these complaints 
>> seriously.  Maybe it works, maybe not.  I've never had a repeat attack.
>>
>> I did have a BF attack from Argentina that went on for hours.  I 
>> e-mailed the ISP and it stopped about 15 minutes later.
>>
>> George Toft, CISSP, MSIS
>> 623-203-1760
>>
>>
>>
>>
>> Francisco Paco Peralta wrote:
>>
>>> Hello list,
>>> I am looking for a way to minimize the rogue attempts to login to my 
>>> system.  Any suggestions are welcome.
>>> I get a logwatch report every morning and have been getting the 
>>> results.  While it doesn't happen every day I would like to minimize 
>>> my exposure. See Below:
>>> - vpopmail Begin 
>>> No Such User Found:
>>> *@ - 1 Time(s)
>>> 0246@ - 1 Time(s)
>>> 12345678@ - 1 Time(s)
>>> 123456@ - 1 Time(s)
>>> 1234@ - 1 Time(s)
>>> 123@ - 1 Time(s)
>>> 123abc@ - 1 Time(s)
>>> 1q2w3e@ - 1 Time(s)
>>> a1b2c3@ - 1 Time(s)
>>> abc123@ - 1 Time(s)
>>> amanda@ - 1 Time(s)
>>> andrew@ - 1 Time(s)
>>> apple@ - 1 Time(s)
>>> asshole@ - 1 Time(s)
>>> bandit@ - 1 Time(s)
>>> baseball@ - 1 Time(s)
>>> beavis@ - 1 Time(s)
>>> buster@ - 1 Time(s)
>>> chris@ - 1 Time(s)
>>> computer@ - 1 Time(s)
>>> cowboys@ - 1 Time(s)
>>> dakota@ - 1 Time(s)
>>> dallas@ - 1 Time(s)
>>> daniel@ - 1 Time(s)
>>> david@ - 1 Time(s)
>>> diamond@ - 1 Time(s)
>>> dragon@ - 1 Time(s)
>>> falcon@ - 1 Time(s)
>>> fiction@ - 1 Time(s)
>>> foobar@ - 1 Time(s)
>>> fred@ - 1 Time(s)
>>> friends@ - 1 Time(s)
>>> george@ - 1 Time(s)
>>> harley@ - 1 Time(s)
>>> hatton@ - 1 Time(s)
>>> hello@ - 1 Time(s)
>>> hockey@ - 1 Time(s)
>>> internet@ - 2 Time(s)
>>> jennifer@ - 1 Time(s)
>>> jessica@ - 1 Time(s)
>>> jordan@ - 2 Time(s)
>>> joshua@ - 1 Time(s)
>>> justin@ - 1 Time(s)
>>> maddock@ - 1 Time(s)
>>> maggie@ - 1 Time(s)
>>> michael@ - 1 Time(s)
>>> michelle@ - 1 Time(s)
>>> mickey@ - 2 Time(s)
>>> mike@ - 1 Time(s)
>>> monday@ - 1 Time(s)
>>> money@ - 1 Time(s)
>>> monkey@ - 1 Time(s)
>>> mustang@ - 1 Time(s)
>>> newpass@ - 1 Time(s)
>>> newuser@ - 1 Time(s)
>>> nicole@ - 1 Time(s)
>>> notused@ - 1 Time(s)
>>> orange@ - 1 Time(s)
>>> pascal@ - 1 Time(s)
>>> passwd@ - 1 Time(s)
>>> password@ - 1 Time(s)
>>> patrick@ - 1 Time(s)
>>> pepper@ - 1 Time(s)
>>> purple@ - 1 Time(s)
>>> qwerty@ - 2 Time(s)
>>> richard@ - 1 Time(s)
>>> robert@ - 1 Time(s)
>>> school@ - 1 Time(s)
>>> sendit@ - 1 Time(s)
>>> shadow@ - 1 Time(s)
>>> silver@ - 1 Time(s)
>>> smokey@ - 1 Time(s)
>>> snoopy@ - 1 Time(s)
>>> soccer@ - 

Re: [qmailtoaster] Unwanted Login Attempts

[George Toft]

Please provide more information.

George Toft, CISSP, MSIS
623-203-1760




Harry Zink wrote:
Install BlockHosts - it takes care of these kind of hack attempts really 
fast.


Harry


On Aug 7, 2007, at 6:04 PM, George Toft wrote:


If you offer POP service to the Internet, this is going to happen.

You could add an iptables rule to block everyone, except the IP 
address of users on your system, but if their IP address changes, you 
get a trouble ticket from a user who can't get their mail.  You will 
spend lots of time chasing your own users.  Not fun.


Make sure your system is patched and built using the QMT scripts.  The 
firewall is very good.  I run yum update weekly to keep it up to date.


What I do when this happens is look in /var/log/maillog for the IP 
address of the offender.  Then run whois  to get the ISP of 
the offender.  If it is in the US/Canada, I fire off an e-mail with 
the logs (/var/log/maillog) to the abuse address and I use the key 
words "brute force attack on our mail server" and "please address this 
AUP violation with your subscriber."  If the attack is from China, I 
don't even waste my time.


When I was at a web hosting company, we took these complaints 
seriously.  Maybe it works, maybe not.  I've never had a repeat attack.


I did have a BF attack from Argentina that went on for hours.  I 
e-mailed the ISP and it stopped about 15 minutes later.


George Toft, CISSP, MSIS
623-203-1760




Francisco Paco Peralta wrote:


Hello list,
I am looking for a way to minimize the rogue attempts to login to my 
system.  Any suggestions are welcome.
I get a logwatch report every morning and have been getting the 
results.  While it doesn't happen every day I would like to minimize 
my exposure. See Below:

- vpopmail Begin 
No Such User Found:
*@ - 1 Time(s)
0246@ - 1 Time(s)
12345678@ - 1 Time(s)
123456@ - 1 Time(s)
1234@ - 1 Time(s)
123@ - 1 Time(s)
123abc@ - 1 Time(s)
1q2w3e@ - 1 Time(s)
a1b2c3@ - 1 Time(s)
abc123@ - 1 Time(s)
amanda@ - 1 Time(s)
andrew@ - 1 Time(s)
apple@ - 1 Time(s)
asshole@ - 1 Time(s)
bandit@ - 1 Time(s)
baseball@ - 1 Time(s)
beavis@ - 1 Time(s)
buster@ - 1 Time(s)
chris@ - 1 Time(s)
computer@ - 1 Time(s)
cowboys@ - 1 Time(s)
dakota@ - 1 Time(s)
dallas@ - 1 Time(s)
daniel@ - 1 Time(s)
david@ - 1 Time(s)
diamond@ - 1 Time(s)
dragon@ - 1 Time(s)
falcon@ - 1 Time(s)
fiction@ - 1 Time(s)
foobar@ - 1 Time(s)
fred@ - 1 Time(s)
friends@ - 1 Time(s)
george@ - 1 Time(s)
harley@ - 1 Time(s)
hatton@ - 1 Time(s)
hello@ - 1 Time(s)
hockey@ - 1 Time(s)
internet@ - 2 Time(s)
jennifer@ - 1 Time(s)
jessica@ - 1 Time(s)
jordan@ - 2 Time(s)
joshua@ - 1 Time(s)
justin@ - 1 Time(s)
maddock@ - 1 Time(s)
maggie@ - 1 Time(s)
michael@ - 1 Time(s)
michelle@ - 1 Time(s)
mickey@ - 2 Time(s)
mike@ - 1 Time(s)
monday@ - 1 Time(s)
money@ - 1 Time(s)
monkey@ - 1 Time(s)
mustang@ - 1 Time(s)
newpass@ - 1 Time(s)
newuser@ - 1 Time(s)
nicole@ - 1 Time(s)
notused@ - 1 Time(s)
orange@ - 1 Time(s)
pascal@ - 1 Time(s)
passwd@ - 1 Time(s)
password@ - 1 Time(s)
patrick@ - 1 Time(s)
pepper@ - 1 Time(s)
purple@ - 1 Time(s)
qwerty@ - 2 Time(s)
richard@ - 1 Time(s)
robert@ - 1 Time(s)
school@ - 1 Time(s)
sendit@ - 1 Time(s)
shadow@ - 1 Time(s)
silver@ - 1 Time(s)
smokey@ - 1 Time(s)
snoopy@ - 1 Time(s)
soccer@ - 1 Time(s)
sports@ - 1 Time(s)
stupid@ - 1 Time(s)
summer@ - 2 Time(s)
sunshine@ - 1 Time(s)
test@ - 1 Time(s)
thomas@ - 1 Time(s)
undead@ - 1 Time(s)
vikings@ - 1 Time(s)
wheeling@ - 1 Time(s)
**Unmatched Entries**
vchkpw-smtp: invalid user/domain characters "null":xxx.xxx.xxx.xxx
vchkpw-smtp: invalid user/domain characters [EMAIL PROTECTED]:xxx.xxx.xxx.xxx
-- vpopmail End -
 Francisco "Paco" Peralta



-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED] 

For additional commands, e-mail: 
[EMAIL PROTECTED] 





---
*/Andrew Young/*
/"Remember your biggest obstacle to success is the absence of 
execution."// /





-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] Unwanted Login Attempts

[Harry Zink]

Install BlockHosts - it takes care of these kind of hack attempts  
really fast.


Harry


On Aug 7, 2007, at 6:04 PM, George Toft wrote:


If you offer POP service to the Internet, this is going to happen.

You could add an iptables rule to block everyone, except the IP  
address of users on your system, but if their IP address changes,  
you get a trouble ticket from a user who can't get their mail.  You  
will spend lots of time chasing your own users.  Not fun.


Make sure your system is patched and built using the QMT scripts.   
The firewall is very good.  I run yum update weekly to keep it up  
to date.


What I do when this happens is look in /var/log/maillog for the IP  
address of the offender.  Then run whois  to get the ISP  
of the offender.  If it is in the US/Canada, I fire off an e-mail  
with the logs (/var/log/maillog) to the abuse address and I use the  
key words "brute force attack on our mail server" and "please  
address this AUP violation with your subscriber."  If the attack is  
from China, I don't even waste my time.


When I was at a web hosting company, we took these complaints  
seriously.  Maybe it works, maybe not.  I've never had a repeat  
attack.


I did have a BF attack from Argentina that went on for hours.  I e- 
mailed the ISP and it stopped about 15 minutes later.


George Toft, CISSP, MSIS
623-203-1760




Francisco Paco Peralta wrote:

Hello list,
I am looking for a way to minimize the rogue attempts to login to  
my system.  Any suggestions are welcome.
I get a logwatch report every morning and have been getting the  
results.  While it doesn't happen every day I would like to  
minimize my exposure. See Below:

- vpopmail Begin 
No Such User Found:
*@ - 1 Time(s)
0246@ - 1 Time(s)
12345678@ - 1 Time(s)
123456@ - 1 Time(s)
1234@ - 1 Time(s)
123@ - 1 Time(s)
123abc@ - 1 Time(s)
1q2w3e@ - 1 Time(s)
a1b2c3@ - 1 Time(s)
abc123@ - 1 Time(s)
amanda@ - 1 Time(s)
andrew@ - 1 Time(s)
apple@ - 1 Time(s)
asshole@ - 1 Time(s)
bandit@ - 1 Time(s)
baseball@ - 1 Time(s)
beavis@ - 1 Time(s)
buster@ - 1 Time(s)
chris@ - 1 Time(s)
computer@ - 1 Time(s)
cowboys@ - 1 Time(s)
dakota@ - 1 Time(s)
dallas@ - 1 Time(s)
daniel@ - 1 Time(s)
david@ - 1 Time(s)
diamond@ - 1 Time(s)
dragon@ - 1 Time(s)
falcon@ - 1 Time(s)
fiction@ - 1 Time(s)
foobar@ - 1 Time(s)
fred@ - 1 Time(s)
friends@ - 1 Time(s)
george@ - 1 Time(s)
harley@ - 1 Time(s)
hatton@ - 1 Time(s)
hello@ - 1 Time(s)
hockey@ - 1 Time(s)
internet@ - 2 Time(s)
jennifer@ - 1 Time(s)
jessica@ - 1 Time(s)
jordan@ - 2 Time(s)
joshua@ - 1 Time(s)
justin@ - 1 Time(s)
maddock@ - 1 Time(s)
maggie@ - 1 Time(s)
michael@ - 1 Time(s)
michelle@ - 1 Time(s)
mickey@ - 2 Time(s)
mike@ - 1 Time(s)
monday@ - 1 Time(s)
money@ - 1 Time(s)
monkey@ - 1 Time(s)
mustang@ - 1 Time(s)
newpass@ - 1 Time(s)
newuser@ - 1 Time(s)
nicole@ - 1 Time(s)
notused@ - 1 Time(s)
orange@ - 1 Time(s)
pascal@ - 1 Time(s)
passwd@ - 1 Time(s)
password@ - 1 Time(s)
patrick@ - 1 Time(s)
pepper@ - 1 Time(s)
purple@ - 1 Time(s)
qwerty@ - 2 Time(s)
richard@ - 1 Time(s)
robert@ - 1 Time(s)
school@ - 1 Time(s)
sendit@ - 1 Time(s)
shadow@ - 1 Time(s)
silver@ - 1 Time(s)
smokey@ - 1 Time(s)
snoopy@ - 1 Time(s)
soccer@ - 1 Time(s)
sports@ - 1 Time(s)
stupid@ - 1 Time(s)
summer@ - 2 Time(s)
sunshine@ - 1 Time(s)
test@ - 1 Time(s)
thomas@ - 1 Time(s)
undead@ - 1 Time(s)
vikings@ - 1 Time(s)
wheeling@ - 1 Time(s)
**Unmatched Entries**
vchkpw-smtp: invalid user/domain characters "null":xxx.xxx.xxx.xxx
vchkpw-smtp: invalid user/domain characters [EMAIL PROTECTED]:xxx.xxx.xxx.xxx
-- vpopmail End -
 Francisco "Paco" Peralta


-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: qmailtoaster-list- 
[EMAIL PROTECTED]




---
Andrew Young
"Remember your biggest obstacle to success is the absence of execution."

Re: [qmailtoaster] Unwanted Login Attempts

[George Toft]

If you offer POP service to the Internet, this is going to happen.

You could add an iptables rule to block everyone, except the IP address 
of users on your system, but if their IP address changes, you get a 
trouble ticket from a user who can't get their mail.  You will spend 
lots of time chasing your own users.  Not fun.


Make sure your system is patched and built using the QMT scripts.  The 
firewall is very good.  I run yum update weekly to keep it up to date.


What I do when this happens is look in /var/log/maillog for the IP 
address of the offender.  Then run whois  to get the ISP of the 
offender.  If it is in the US/Canada, I fire off an e-mail with the logs 
(/var/log/maillog) to the abuse address and I use the key words "brute 
force attack on our mail server" and "please address this AUP violation 
with your subscriber."  If the attack is from China, I don't even waste 
my time.


When I was at a web hosting company, we took these complaints seriously. 
 Maybe it works, maybe not.  I've never had a repeat attack.


I did have a BF attack from Argentina that went on for hours.  I 
e-mailed the ISP and it stopped about 15 minutes later.


George Toft, CISSP, MSIS
623-203-1760




Francisco Paco Peralta wrote:


Hello list,

I am looking for a way to minimize the rogue attempts to login to my 
system.  Any suggestions are welcome.


I get a logwatch report every morning and have been getting the 
results.  While it doesn't happen every day I would like to minimize my 
exposure. 


See Below:


- vpopmail Begin 


No Such User Found:
*@ - 1 Time(s)
0246@ - 1 Time(s)
12345678@ - 1 Time(s)
123456@ - 1 Time(s)
1234@ - 1 Time(s)
123@ - 1 Time(s)
123abc@ - 1 Time(s)
1q2w3e@ - 1 Time(s)
a1b2c3@ - 1 Time(s)
abc123@ - 1 Time(s)
amanda@ - 1 Time(s)
andrew@ - 1 Time(s)
apple@ - 1 Time(s)
asshole@ - 1 Time(s)
bandit@ - 1 Time(s)
baseball@ - 1 Time(s)
beavis@ - 1 Time(s)
buster@ - 1 Time(s)
chris@ - 1 Time(s)
computer@ - 1 Time(s)
cowboys@ - 1 Time(s)
dakota@ - 1 Time(s)
dallas@ - 1 Time(s)
daniel@ - 1 Time(s)
david@ - 1 Time(s)
diamond@ - 1 Time(s)
dragon@ - 1 Time(s)
falcon@ - 1 Time(s)
fiction@ - 1 Time(s)
foobar@ - 1 Time(s)
fred@ - 1 Time(s)
friends@ - 1 Time(s)
george@ - 1 Time(s)
harley@ - 1 Time(s)
hatton@ - 1 Time(s)
hello@ - 1 Time(s)
hockey@ - 1 Time(s)
internet@ - 2 Time(s)
jennifer@ - 1 Time(s)
jessica@ - 1 Time(s)
jordan@ - 2 Time(s)
joshua@ - 1 Time(s)
justin@ - 1 Time(s)
maddock@ - 1 Time(s)
maggie@ - 1 Time(s)
michael@ - 1 Time(s)
michelle@ - 1 Time(s)
mickey@ - 2 Time(s)
mike@ - 1 Time(s)
monday@ - 1 Time(s)
money@ - 1 Time(s)
monkey@ - 1 Time(s)
mustang@ - 1 Time(s)
newpass@ - 1 Time(s)
newuser@ - 1 Time(s)
nicole@ - 1 Time(s)
notused@ - 1 Time(s)
orange@ - 1 Time(s)
pascal@ - 1 Time(s)
passwd@ - 1 Time(s)
password@ - 1 Time(s)
patrick@ - 1 Time(s)
pepper@ - 1 Time(s)
purple@ - 1 Time(s)
qwerty@ - 2 Time(s)
richard@ - 1 Time(s)
robert@ - 1 Time(s)
school@ - 1 Time(s)
sendit@ - 1 Time(s)
shadow@ - 1 Time(s)
silver@ - 1 Time(s)
smokey@ - 1 Time(s)
snoopy@ - 1 Time(s)
soccer@ - 1 Time(s)
sports@ - 1 Time(s)
stupid@ - 1 Time(s)
summer@ - 2 Time(s)
sunshine@ - 1 Time(s)
test@ - 1 Time(s)
thomas@ - 1 Time(s)
undead@ - 1 Time(s)
vikings@ - 1 Time(s)
wheeling@ - 1 Time(s)

**Unmatched Entries**
vchkpw-smtp: invalid user/domain characters "null":xxx.xxx.xxx.xxx
vchkpw-smtp: invalid user/domain characters [EMAIL PROTECTED]:xxx.xxx.xxx.xxx

-- vpopmail End -


 
Francisco "Paco" Peralta




-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]