search for: forcers

...resses all together, or just ban certain services. -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Brian Marshall Sent: Thursday, November 16, 2006 9:33 AM To: CentOS mailing list Subject: Re: [CentOS] Re: IPTables Blocking Brute Forcers Sweeeet! I'll give it a shot. Thanks Mike. > From: <mike.redan at bell.ca> > Reply-To: CentOS mailing list <centos at centos.org> > Date: Thu, 16 Nov 2006 12:18:00 -0500 > To: <centos at centos.org> > Conversation: [CentOS] Re: IPTables Blocking Brute Force...

On 07:09, Fri 17 Nov 06, Sudev Barar wrote: > >You can use IPTables to limit the rate of connections. I allow only 2 > >connections from a given IP address within each 3 minute period. > > > >I know this is sloppy and lazy but can you post your iptables line > >that does this? > > > # Don't have a limit on my_trusted_domain > iptables -A INPUT -p tcp

There's an article on slashdot about the Duqu team wiping all their intermediary c&c servers on 20 Oct. Interestingly, the report says that they were all (?) not only linux, but CentOS. There's a suggestion of a zero-day exploit in openssh-4.3, but both the original article, and Kaspersky labs (who have a *very* interesting post of the story) consider that highly unlikely, and the

I am currently blocking out netbios UDP port 137 on my firewall and was wondering what the following means in terms of security: Jul 9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137 MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111 I have gottena few 100 of these and was wondering if there are some vulnerabilties related to netbios out there?? What do the S/I/F/L fields stand for?? I

...e=1800 > > However, it seems almost all IPs are different, and I don't think I can > keep the above settings permanently. Why not? Limited by firewall rules overload? You could probably use a persistent DB, can't you? You can also use a third party RBL that specialized in brute forcers like blocklist.de. You can also feed back fail2ban data and crowdsource BFD data to them. Joseph Tam <jtam.home at gmail.com>

So I was bored yesterday and tried solving a few problems with one stone: 1) Notify me of potential brute forcers (multiple attempts to register multiple numbers from one address) 2) Notify me of (l)users who are having password issues So I whipped up a simple script to run in cron and notify me that UserX from X_IP_Space had X amout of password issues. I'm currently running this from cron and it works fi...

dnsbl's are a popular method to prevent listed ips from making connections to mta software. cf. postscreen_dnsbl_sites in postfix Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? John

...very high > > termination rates. How does $25 per minute sound? > > > > Thanks, > > Steve Totaro > > http://www.asteriskhelpdesk.com > > KB3OPB > > Ashtray is an Asterisk brute force watcher. Checks logs from cron and > emails admin of potential brute forcers > http://www.infiltrated.net/scripts/ashtray > > Can have it set in .bash_profile so whenever you log on, you'd see > anomalies. > > -- > ==================================================== > J. Oquendo > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383...

...I have increased it to two. A timeout feature is handy here; even though you allow attackers several kicks at the can, it will allow your users to eventually gain control to their accounts again after a suitable penalty period. >> You can also use a third party RBL that specialized in brute forcers like >> blocklist.de. You can also feed back fail2ban data and crowdsource BFD >> data to them. > > Yes, I will look into that now. > ... > > Anyone aware of other blocklists that are worth bocking? Because the > list.blocklist.de/lists/all.txt blocks some, but not an...

...il2ban to implement some of these things.) There are other solutions like alternate ports, port knocking, certificate authentication, or VPN, but they are hard/impossible to do with a large userbase, or have high setup/amortization costs. If you have a enforced strong password policy, these brute forcers have little chance of succeeding, so maybe the easiest cheapest policy is to ignore it. Joseph Tam <jtam.home at gmail.com>

(Sorry, third time -- last one, promise, just giving it a subject line!) OK, a second machine hosted at the same hosting company has also apparently been hacked. Since 2 of out of 3 machines hosted at that company have now been hacked, but this hasn't happened to any of the other 37 dedicated servers that I've got hosted at other hosting companies (also CentOS, same version or almost),

Debian Lenny, Dovecot v 1.0.15. I'm getting a lot of what I think is a local socket asking dovecot:auth to verify username/passwords: > May 31 09:00:54 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost= Note the empty 'rhost='. That's why I think it's on the server. I see others that look like bots:

Hi ! Since few months, dreplsrv is eating lots of memory in few days. Within 2 weeks, the process is generaly OOM killed and replication become weired. I need to restart samba-ad-dc. Here is my config : - Samba 4.11.6 / 4 vcpu / 2Go Ram - 10215 objects (ldbs file = 300MB) This memory problem only happen on my headbridge DC (star topolgy with 20 DC) If I add some ram, the

Hello, I install samba-ldap-pdc on a ubuntu. I join well the domain with root user, but when I restart, root or user login don't work. I can access to share via network with root or user login. when I try under winXP pro to change security of a file, I can't access to server user list : "bad user or passwd" I've no error in log.smbd or debug my smb.conf [global] smb ports

Does anyone know if there is a known list of telemarketers? Something like http://whocalled.us/ with an easier access? We could all benefit if there was such a thing :-) If there is enough interest, I could put up a database that everyone can benefit from. I just need some suggestions on: (1) Adding new numbers based on community responses (some rule to sanity check) (2) Method that everyone