Patrick Shanahan wrote:
* Richard Creighton [EMAIL PROTECTED] [07-29-07 15:46]:
I don't think he wants to block off the public, just someone he has
detected abusing.
exactly and I am presently using fail2ban to block:
[postfix-tcpwrapper]
enabled = true
filter =
* Sloan [EMAIL PROTECTED] [07-30-07 13:10]:
So, any host that has a lot of messages to send to users on your
system will be banned, correct?
We frequently have occasion to send thousands of business-related
messages to a single domain, and if they use some simple-minded smtp
connection rate
On Sunday 29 July 2007, Patrick Shanahan wrote:
* Richard Creighton [EMAIL PROTECTED] [07-29-07 15:46]:
I don't think he wants to block off the public, just someone he has
detected abusing.
exactly and I am presently using fail2ban to block:
[postfix-tcpwrapper]
enabled = true
Patrick Shanahan wrote:
* Sloan [EMAIL PROTECTED] [07-30-07 13:10]:
So, any host that has a lot of messages to send to users on your
system will be banned, correct?
We frequently have occasion to send thousands of business-related
messages to a single domain, and if they use some
* Sloan [EMAIL PROTECTED] [07-30-07 14:58]:
I'm curious about the mechanism by which fail2ban determines what is
legitimate high volume mail, and what is spam... Unfortunately
messages can bounce due to various causes on the receiving end,
including users who have moved on but haven't let all
Patrick Shanahan wrote:
a little quote trimming would be nice :^)
from my logs:
/var/log/mail:
Jul 30 14:13:06 wahoo postfix/smtpd[488]: connect from
edu194.internetdsl.tpnet.pl[83.14.202.194]
Jul 30 14:13:18 wahoo postfix/smtpd[488]: NOQUEUE: reject: RCPT from
* Sloan [EMAIL PROTECTED] [07-30-07 15:27]:
Interesting - but with RBLs you sometimes have innocent senders tarred
with the same brush as the spammers, so if it's problematic to ban based
on the RBLs.
rbl blocked 1000 posts the 28th and 600 yesterday. I correspond
with several people who
* Benji Weber [EMAIL PROTECTED] [07-16-07 05:04]:
set the following line
FW_SERVICES_ACCEPT_EXT=0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh
in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3
attempts per 120s.
This works *very* well, even better than fail2ban,
Patrick Shanahan wrote:
* Benji Weber [EMAIL PROTECTED] [07-16-07 05:04]:
set the following line
FW_SERVICES_ACCEPT_EXT=0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh
in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3
attempts per 120s.
This works *very* well,
On 29/07/07, Richard Creighton [EMAIL PROTECTED] wrote:
Turns out that I have spent the morning trying to figure out why on my
machine that didn't work at all. I perused the iptables -L and found
the order of the rules produced by susefirewall2 is wrong IF you open
the ssh port using the
Patrick Shanahan wrote:
* Benji Weber [EMAIL PROTECTED] [07-16-07 05:04]:
set the following line
FW_SERVICES_ACCEPT_EXT=0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh
in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3
attempts per 120s.
This works *very* well,
joe wrote:
Patrick Shanahan wrote:
* Benji Weber [EMAIL PROTECTED] [07-16-07 05:04]:
set the following line
FW_SERVICES_ACCEPT_EXT=0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh
in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3
attempts per 120s.
This works
* Richard Creighton [EMAIL PROTECTED] [07-29-07 15:46]:
I don't think he wants to block off the public, just someone he has
detected abusing.
exactly and I am presently using fail2ban to block:
[postfix-tcpwrapper]
enabled = true
filter = postfix
action =
Richard Creighton wrote:
I don't think he wants to block off the public, just someone he has
detected abusing. I have a friend that has a small newsletter she
sends out to a growing list of people and recently she hit a limit from
road-runner. She could receive mail just fine but when
On Jul 17, 2007, at 1:34 PM, Richard Creighton wrote:
Patrick Shanahan wrote:
* Richard Creighton [EMAIL PROTECTED] [07-17-07 16:09]:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2:
Warning:
ip6tables does not support state matching. Extended IPv6 support
disabled.
Joe Sloan wrote:
On Jul 17, 2007, at 1:34 PM, Richard Creighton wrote:
Patrick Shanahan wrote:
Prayer is cool, but why a reboot? This isn't windoze, no need. Just tell
the firewall to reload, takes a second.
Joe
Oh you don't know how much I know this isn't WindozeDa I
Mandag 16 juli 2007 18:00 skrev joe:
Richard Creighton wrote:
Just about every day, often several times a day, my logs include hours
of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
snip
My question is what, if any firewall
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John Andersen wrote:
On Monday 16 July 2007, G T Smith wrote:
The real problem starts when the attacker hits pay dirt, the entries I
would worry about are the ones that are not in the log.
Paydirt? You mean like guessing BOTH the account name
John, you have been a tremendous amount of help. I am posting my reply
to the list as well as direct to you because your answer may be of
benefit to the list members and the question I pose may also be of
significance
John Andersen wrote:
On Tuesday 17 July 2007, Richard Creighton wrote:
On Tuesday 17 July 2007, Richard Creighton wrote:
But in any event, I don't believe its being honored.
Ok, its safe to say you have rate limit installed and available
What I'm wondering is if it *is* being honored as far as the hacker is
concerned, ie, he is not getting past the 'DROP',
John Andersen wrote:
On Tuesday 17 July 2007, Richard Creighton wrote:
But if the logging shows up prefixed with sshd as yours does:
Jul 17 00:38:27 raid5 sshd
Then you can be assured that the connection attempt DID get
to the ssh daemon, and was NOT dropped. If it was dropped
the sshd
* Richard Creighton [EMAIL PROTECTED] [07-17-07 16:09]:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning:
ip6tables does not support state matching. Extended IPv6 support disabled.
SuSEfirewall2: Error: unknown parameter name=ssh in
FW_SERVICES_ACCEPT_EXT -
On Tuesday 17 July 2007, Richard Creighton wrote:
John Andersen wrote:
On Tuesday 17 July 2007, Richard Creighton wrote:
But if the logging shows up prefixed with sshd as yours does:
Jul 17 00:38:27 raid5 sshd
Then you can be assured that the connection attempt DID get
to the ssh
Patrick Shanahan wrote:
* Richard Creighton [EMAIL PROTECTED] [07-17-07 16:09]:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning:
ip6tables does not support state matching. Extended IPv6 support disabled.
SuSEfirewall2: Error: unknown parameter name=ssh in
Patrick Shanahan wrote:
* Richard Creighton [EMAIL PROTECTED] [07-17-07 16:09]:
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning:
ip6tables does not support state matching. Extended IPv6 support disabled.
SuSEfirewall2: Error: unknown parameter name=ssh in
Richard Creighton [EMAIL PROTECTED] wrote on 07/17/2007 02:02:51 PM:
Thanks to all that have endured this thread and to all that have
contributed their ideas. BTW, I did install 'fail2ban' and it did
execute but it never caught any attacks...so obviously I screwed up in
configuration somehow
* Richard Creighton [EMAIL PROTECTED] [07-17-07 17:05]:
Thank you very muchObviously despite everything, I must have
fat-fingered something somewhere. After a cut and paste session PLUS a
system reboot (something I very rarely do in Linux), I ended up with:
...
A quick simple solution
On Tuesday 17 July 2007, Dale Schuster wrote:
Richard Creighton [EMAIL PROTECTED] wrote on 07/17/2007 02:02:51 PM:
Thanks to all that have endured this thread and to all that have
contributed their ideas. BTW, I did install 'fail2ban' and it did
execute but it never caught any
Just about every day, often several times a day, my logs include hours
of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
Jul 16 00:35:30 raid5 sshd[6968]: Invalid user admin from 83.18.244.42
Jul 16 00:35:35 raid5 sshd[6972]: Invalid user
On 16/07/07, Richard Creighton [EMAIL PROTECTED] wrote:
My question is what, if any firewall rule could I write that could
detect such attacks and automatically shut down forwarding packets from
the offending node or domain? That would give me an additional layer
of defense as well as
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Richard Creighton wrote:
Just about every day, often several times a day, my logs include hours
of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
Jul 16 00:35:30 raid5 sshd[6968]: Invalid
On Monday 16 July 2007 10:02:54 G T Smith wrote:
Richard Creighton wrote:
Just about every day, often several times a day, my logs include hours
of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
Jul 16 00:35:30 raid5 sshd[6968]:
Matthew Stringer wrote:
After having a similar problem I was recommended DenyHosts, swear by it now,
blocks all these lamers.
http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
Cheers,
Matthew
I'll vote for this too, although I would like to get something that uses
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The Monday 2007-07-16 at 11:09 +0100, koffiejunkie wrote:
I'll vote for this too, although I would like to get something that uses
iptables instead - taking the load off sshd.
SuSEfirewall2 does it that way - see Benji Weber answer.
- --
Benji Weber wrote:
On 16/07/07, Richard Creighton [EMAIL PROTECTED] wrote:
My question is what, if any firewall rule could I write that could
detect such attacks and automatically shut down forwarding packets from
the offending node or domain? That would give me an additional layer
of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The Monday 2007-07-16 at 08:19 -0400, Richard Creighton wrote:
FW_SERVICES_ACCEPT_EXT=0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh
in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3
attempts per 120s.
The log
Richard Creighton wrote:
Just about every day, often several times a day, my logs include hours
of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
snip
My question is what, if any firewall rule could I write that could
detect such
joe wrote:
Richard Creighton wrote:
Just about every day, often several times a day, my logs include hours
of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
snip
My question is what, if any firewall rule could I write that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
joe wrote:
joe wrote:
Richard Creighton wrote:
I prefer a more simple approach. Rather than adding more firewall rules, I
set
the sshd allowed_users parameter to the 2 accounts that actually have a
reason to log in, and I also limit the IP
Mon, 16 Jul 2007, by [EMAIL PROTECTED]:
Just about every day, often several times a day, my logs include hours
of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
Jul 16 00:35:30 raid5 sshd[6968]: Invalid user admin from 83.18.244.42
On Monday 16 July 2007, G T Smith wrote:
The real problem starts when the attacker hits pay dirt, the entries I
would worry about are the ones that are not in the log.
Paydirt? You mean like guessing BOTH the account name and password?
The chances of this are vanishingly slim with reasonable
On Monday 16 July 2007, Richard Creighton wrote:
The log excerpt was despite a setting of:
FW_SERVICES_ACCEPT_EXT=0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=
ssh
I don't believe you had that in there correctly, because if you look a the
times there were cases where there were 5 hits
42 matches
Mail list logo
