similar to: Dovecot under brute force attack - nice attacker

Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted

fail2ban might be good for this. On 04/05/2011 01:00 PM, asterisk-users-request at lists.digium.com wrote: > > Date: Tue, 5 Apr 2011 08:44:41 -0700 (PDT) > From: Steve Edwards<asterisk.org at sedwards.com> > Subject: Re: [asterisk-users] Iptables configuration to handle brute > force registrations? > > On Tue, 5 Apr 2011, Gilles wrote: > >> I'm no expert

Looks like we are under a dictionary login attack on our POP server: Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun

I was hoping to set up fail2ban to block IP addresses that generate too many Samba password failures, but it needs a syslog message with the IP address of the computer that failed password authentication. Unfortunately, Samba doesn't seem to do this in my environment. Here's a sample error message: smbd[312]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User brutus ! I

Dear CentOS Community Is totally clear there's no support sendmail platform today, but I need to stop SMTP brute-force attack on sendmail. My server is attacked today, my maillog look like : 4624 at myserver.com>, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1] Jun 14 19:07:01 at6412 sendmail[24627]: q5EN71jC024627: from=<>, size=3958, class=0, nrcpts=1,

Why do attacks from the Internet get shown in the Asterisk logs with myAsteriskServerIP instead of the attacker's IP?! Really useful for blocking them, that is... Example: [Mar 6 00:00:00] NOTICE[1926] chan_sip.c: Failed to authenticate user 5550000<sip:5550000 at myAsteriskServerIP>;tag=ab8537ae (I replaced our IP address with myAsteriskServerIP. The attacks are not coming from

Over the weekend one of our servers at a remote location was hammered by an IP originating in mainland China. This attack was only noteworthy in that it attempted to connect to our pop3 service. We have long had an IP throttle on ssh connections to discourage this sort of thing. But I had not considered the possibility that other services were equally at risk. Researching this on the web does

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable

We have several web applications deployed under Apache that require a user id / password authentication. Some of these use htdigest and others use the application itself. Recently we have experienced several brute force attacks against some of these services which have been dealt with for the nonce by changes to iptables. However, I am not convinced that these changes are the answer. Therefore

I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server. Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything. It doesn't look like I can

Hi Everyone, Before I begin, I'd just like to mention: I love dovecot. Thank you :) Anyway, today I had 8000 login attempts to my dovecot server in an hour before blocking the IP with my firewall. After googling, I didn't see very much discussion on the topic. There was some mention of blocksshd which was supposed to support dovecot in the next release (but doesn't appear to) and

Hello list. I'm trying to find a way to block any ip that tries to login more than three times with the wrong password and try to log in three different extensions. For I have suffered some brute force attacks on my asterisk in the morning period. The idea would be: Any ip with three attempts without success to log into an extension is blocked. Is there any way to accomplish this directly

On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot <dovecot at dovecot.org> wrote: > > > Say for instance you have some one trying to constantly access an > account > > > Has any of you made something creative like this: > > * configure that account to allow to login with any password > * link that account to something like /dev/zero that generates infinite

just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc.... None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and

I noticed that my server has a lot ca. 1000x auth failure from different alocated in China / Romania and Netherlands per day since 3 days It looks to me like somebody was trying to get into server by guessing my password by brute force. what would be the best to stop this attack and how? the server running apache mysql and ftp PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 443/tcp

Marc, There is a strategy loosely referred to as "choose your battles well" :-) Let the others bother with their own problems. If you can, hack the server and dump the 500GB - you'll be using resources transferring the 500GB as the other server receives it. Two servers wasting resources because you think you are punishing an offender! On Thu, 11 Apr 2019 at 13:43, Marc Roos

Hi, I?ve posted this before but no one was able to help. I can?t figure out what they are trying to do, and if I should be concerned. I am running dovecot version 0.99.14 on Fedora Core 4. It appears that my dovecot server is under attack. This morning in my system e-mail I saw this: dovecot: Authentication Failures: rhost= : 23431 Time(s)

> Am 11.04.2019 um 12:43 schrieb Marc Roos via dovecot <dovecot at dovecot.org>: > > Please do not assume anything other than what is written, it is a > hypothetical situation > > > A. With the fail2ban solution > - you 'solve' that the current ip is not able to access you > - it will continue bothering other servers and admins > - you get the

On 11/04/2019 11:43, Marc Roos via dovecot wrote: > A. With the fail2ban solution > - you 'solve' that the current ip is not able to access you It is only a solution if there are subsequent attempts from the same address. I currently have several thousand addresses blocked due to dovecot login failures. My firewall is set to log these so I can see that few repeat, those

I've just posted this to another list where we were talking about the same old issues we've been plagues with recently - I'd already posted some iptables rules, but added more to it for this... This script probably isn't compatable with anything else, but I don't run anything else. It's also designed to act on the incoming interface, not to run in a router, but