Does anyone have a script that will notice a Rumplestiltskin type spam attack (where they try every name possible) and drop the sending into a block list? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On 3/26/06, Chris Mason (Lists) <lists@masonc.com> wrote:> Does anyone have a script that will notice a Rumplestiltskin type spam > attack (where they try every name possible) and drop the sending into a > block list?Denyhosts is what you''re looking for. It''s in dag''s repository. Alternately you could just move ssh off port 22 and they''ll all go away. -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety'''' Benjamin Franklin 1775
Jim Perrin wrote:> On 3/26/06, Chris Mason (Lists) <lists@masonc.com> wrote: > >> Does anyone have a script that will notice a Rumplestiltskin type spam >> attack (where they try every name possible) and drop the sending into a >> block list? >> > > Denyhosts is what you''re looking for. It''s in dag''s repository. > Alternately you could just move ssh off port 22 and they''ll all go > away. > >Except I am trying to protect smtp, not ssh. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.centos.org/pipermail/centos/attachments/20060326/0fb341f9/attachment.htm
On Sun, 2006-03-26 at 10:45 -0400, Chris Mason (Lists) wrote:> Jim Perrin wrote: > > On 3/26/06, Chris Mason (Lists) <lists@masonc.com> wrote: > > > > > Does anyone have a script that will notice a Rumplestiltskin type spam > > > attack (where they try every name possible) and drop the sending into a > > > block list? > > > > > > > Denyhosts is what you''re looking for. It''s in dag''s repository. > > Alternately you could just move ssh off port 22 and they''ll all go > > away. > > > > > Except I am trying to protect smtp, not ssh.---- there''s no way to script that - you have to configure your smtp server and since you don''t mention which smtp server you are using nor what you have looked at in terms of documentation, there''s little anyone could suggest. Craig
Craig White wrote:> > --- > there''s no way to script that - you have to configure your smtp server > and since you don''t mention which smtp server you are using nor what you > have looked at in terms of documentation, there''s little anyone could > suggest. > >I did find a perl script from 2001 should be effective and I am testing now. It''s called rumplekill.pl and the way it works is pretty simple. It greps for "Unknown user" in the last 1,000 entries in /var/log/maillog | counts the occurrences of the ip, if the count > $threshold then it writes that ip to a file /var/log/blocked_ips That''s what I need. I am testing now. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
> Except I am trying to protect smtp, not ssh.Ah, yeah. that''s what I get for responding to email before coffee. -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety'''' Benjamin Franklin 1775
On Sun, 2006-03-26 at 10:29 -0500, Jim Perrin wrote:> > Except I am trying to protect smtp, not ssh. > > Ah, yeah. that''s what I get for responding to email before coffee.You should *always* respond to coffee before email. Otherwise, trousers may need changing. (Sorry for the humor kbs).> <snip sig>Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.centos.org/pipermail/centos/attachments/20060326/381cb365/attachment.bin
Jim Perrin wrote:>> Except I am trying to protect smtp, not ssh. > > Ah, yeah. that''s what I get for responding to email before coffee. > >Yep, hold nose, swallow lots of coffee, work... By the way, I have integrated APF (Advanced Policy Firewall) <http://www.r-fx.ca/downloads/apf-current.tar.gz> and a script that fends off both email and ssh dictionary attacks beautifully. If anyone wants details let me know. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.centos.org/pipermail/centos/attachments/20060326/7c3a2057/attachment.htm
I had a few requests for information on stopping dictionary attacks so I published it on my site: http://www.anguillaguide.com/article/articleview/3420 The script is working very well and has reduced the amount of spam reaching the server (not the user) enormously. It would have been rejected anyway but the constant attempts waste resources so automatically banning the hosts is very effective. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Sunday 26 March 2006 08:06, Chris Mason (Lists) wrote:> Does anyone have a script that will notice a Rumplestiltskin type spam > attack (where they try every name possible) and drop the sending into a > block list?If you are using IPTABLES you could set it up to just drop the packets after the limit was reached. -- Regards Robert Smile... it increases your face value!