similar to: Find a way to block brute force attacks.

at least once a week I receive such an attack coming from a different ip. I will read the articles. Thanks again to everyone. Regards, Rodrigo Lang. 2010/6/29 Kenny Watson <kwatson at geniusgroupltd.com> > Hi, you can use fail2ban >

Has anyone implemented a script to block IPs which are attacking on POP3 ports using dovecot logs to indicate repetitive failed login attempts? sshblack does this nicely for ssh (port 22) attacks by monitoring the /var/log/secure file. I am considering rewriting this to POP3 port (110), but if it has already been done, I sure don't need the practice. Thanks!

I'm currently receiving over 200 SIP REGISTER requests per second from a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. This has continued for several days, and abuse at staff.aruba.it are unresponsive. I've had a couple of similar incidents recently, the others originating from uk2.net. I have an ADSL connection and responding to these REGISTERS was consuming all

I was hoping to set up fail2ban to block IP addresses that generate too many Samba password failures, but it needs a syslog message with the IP address of the computer that failed password authentication. Unfortunately, Samba doesn't seem to do this in my environment. Here's a sample error message: smbd[312]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User brutus ! I

For many years I've been running ssh reverse tunnels on portable Linux, OpenWRT, Android etc. hosts so they can be accessed from a server whose IP is stable (I call such a server a "nexus host"). Increasingly there's a problem with brute force attacks on the nexus host's tunnel ports. The attack is forwarded to the portable tunneling host, where it fails, but it chews up

We have several web applications deployed under Apache that require a user id / password authentication. Some of these use htdigest and others use the application itself. Recently we have experienced several brute force attacks against some of these services which have been dealt with for the nonce by changes to iptables. However, I am not convinced that these changes are the answer. Therefore

I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server. Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything. It doesn't look like I can

Hi We've just noticed attempts (close to 200000 attempts, sequential peer numbers) at guessing peers on 2 of out servers and thought I'd share the originating IPs with the list in case anyone wants to firewall them as we have done 109.170.106.59 112.142.55.18 124.157.161.67 Ish -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 -------------- next part

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable

Over the weekend one of our servers at a remote location was hammered by an IP originating in mainland China. This attack was only noteworthy in that it attempted to connect to our pop3 service. We have long had an IP throttle on ssh connections to discourage this sort of thing. But I had not considered the possibility that other services were equally at risk. Researching this on the web does

Date: Fri, 1 Oct 2010 18:40:40 -0300 From: Rodrigo Lang <rodrigoferreiralang at gmail.com> Subject: Re: [asterisk-users] AMI Originate To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> Message-ID: <AANLkTikV+32vKVSkAFmkDciOPn+rO=k3jYJmsZLNj1QS at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" 3

I was wondering if anyone had implemented rules like this in shorewall: http://blog.andrew.net.au/tech I see tons of brute force attempts on the machines I administer, and I like the idea of limiting them without the need for extra daemons scanning for attacks. Thanks, Dale -- Dale E. Martin - dale@the-martins.org http://the-martins.org/~dmartin

Message-ID: <479F2A63.2070408 at centos.org> On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes <johnny at centos.org> Subject Was: [CentOS] Unknown rootkit causes compromised servers > > SOME of the script kiddies check higher ports for SSH *_BUT_* I only see > 4% of the brute force attempts to login on ports other than 22. > > I would say that dropping brute force

I've just posted this to another list where we were talking about the same old issues we've been plagues with recently - I'd already posted some iptables rules, but added more to it for this... This script probably isn't compatable with anything else, but I don't run anything else. It's also designed to act on the incoming interface, not to run in a router, but

Hi to all! I'm trying to create a context for integration with extensions.lua and libsql.mysql, but I'm not getting to run. When I reload the module pbx_lua.so the following error appears: [Feb 24 16:59:29] ERROR[30749]: pbx_lua.c:1249 exec: Error executing lua extension: error loading module 'luasql.mysql' from file '/usr/lib/lua/5.1/luasql/mysql.so':

just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc.... None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and

> > Sorry, of course cdr.conf not queues.conf. marcus > > Am 01.12.2010 19:16 schrieb "marcus rothe" <synco16 at googlemail.com>: > > > Hi Rodrigo, have you got enabled the appropriate line in queues. Conf? > Regards Marcus > > Thanks very much, I include the line "unansweredy=yes" in the cdr.conf and solve the problem. Thanks again! --

Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. Dovecot Version 1.0.7 (CentOS 5.2) The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like

Why do attacks from the Internet get shown in the Asterisk logs with myAsteriskServerIP instead of the attacker's IP?! Really useful for blocking them, that is... Example: [Mar 6 00:00:00] NOTICE[1926] chan_sip.c: Failed to authenticate user 5550000<sip:5550000 at myAsteriskServerIP>;tag=ab8537ae (I replaced our IP address with myAsteriskServerIP. The attacks are not coming from

Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted