Josip Almasi wrote:
Netstat shows me I have a dozen smtp connections from a dozen
adresses, from bulgaria and russia and china, I thought they try to
brute force crack my smtp auth so I just iptables them away.
But turns out they change addresses and they brute force guess my
server's usernames:)
Oh, bad Luck :-(
Long ago I decided to 'trust the force' and delete anything which failed
the bayesian filter. That stops the backlog of messages for me but that
may not be acceptable for you.
A while ago, like many people, I noticed those horrible scripts
attempting dictionary attacks on the SSH daemon. In the end I
implemented a fix I'd seen using iptables [1][2]. This involved
dropping any attempts to login using SSH if that same IP address had
previously failed to login for more than some threshold value. The ban
on the IP address was set to half an hour.
I wonder if something similar could be implemented here? It's not quite
the same as Greylisting as you penalise MTAs that try to connect too
often. I guess if James doesn't limit the number of operations that the
same MTA can perform using one connection this won't work anyway.
I do get a chuckle though when I run dmesg and see all the failed
attempts to crack SSH ;-)
David Legg
[1] http://olivier.sessink.nl/publications/blacklisting/index.html
[2] http://www.la-samhna.de/library/brutessh.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
