similar to: SIP Blacklisting

after having my own dnsbl feeded by a honeypot and even mod_security supports it for webservers i think dovecot sould support the same to prevent dictionary attacks from known bad hosts, in our case that blacklist is 100% trustable and blocks before SMTP-Auth while normal RBL's are after SASL i admit that i am not a C/C++-programmer, but i think doing the DNS request and in case it has a

... using it as a tool and understanding what it does... So one part of it's toolset identifys valid SIP accounts - and I was under the impression that alwaysauthreject=yes was supposed to stop this... However, it sends a request for a highly probably non-existent account, then sends requests for probably existing accounts and I guess compares the results - account not found vs. bad

On 03/03/2015 11:03 PM, Earl Killian wrote: > On 2015/3/2 10:03, Reindl Harald wrote: >> >> that is all nice >> >> but the main benefit of RBL's is always ignored: >> >> * centralized >> * no log parsing at all >> * honeypot data are "delivered" to any host >> * it's cheap >> * it's easy to maintain >> * it

Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100<sip:100 at 108.161.145.18>;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you

Am 02.03.2015 um 18:56 schrieb Robert Schetterer: > perhaps and i mean really "perhaps" go this way > > https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ > > https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ > > 45K+ IPs will work in a recent table > i have them too but for smtp only like > >

>>> Perhaps if there was a Asterisk RBL we could all contribute to; for >>> which we could then hook into and drop any connection where a >>> source IP is listed ? -- Thanks, Phil >>> >> >> I love the idea of a RBL... count me in for contributing. >> >> Especially considering the ridiculous response I received from >> Amazon.

My firewall and asterisk pjsip config only has "permit" options for my ITSP's (SIP trunk) IPs. Here's the script that sets it up. -------------------------------------------------- #!/bin/bash EXIF="eth0" /sbin/iptables --flush /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -m

Somebody please forward this, if this is not an appropiate place to ask the OpenSSH developers for a new feature. As many of us have seen, any sshd left open on the internet eventually becomes the target of password guessing attacks. I am aware of tools for scanning the security logs, and manipulating iptables to block ongoing attacks, but I am not aware of a way to configure sshd itself to

Hi folks, first of all thanks for Dovecot, I appreciate it a lot. On one of our servers, we experience regular tries to brute force logins, probably based on harvested mail addresses. Now I wonder if dovecot has or could in future have some mechanism to blacklist remote IP addresses after a configurable number of failures to login to any account. Blacklisted IPs could simply be disconnected

Hi, Got some great news a few days ago from Sandro Gauci (@SandroGauci) and we'll be talking about this with him this Friday at 1PM. SIPVicious, the free security tools for SIP scanning, now include a new tool: svcrash. It is aimed at helping system administrators stop bandwidth consuming scans making use of svwar and svcrack. Here is the announcement on SIPViscious blog:

Hi, Does anyone know how I can monitor our server's for blacklisting? We run a large amount of shared hosting & reseller hosting servers and from time to time one of the IP's will get blacklisted. I'm looking for a way to be notified if any of our IP's get blacklisted. Is this possible? -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog:

Hi, Is there any way to automatically block all traffic from IP''s that try more than X number of blocked ports for a preset amount of time? The log I get every morning seems to be getting bigger and bigger with port scans and attempts to access various services, it would be nice if these IP''s could be automatically blocked for like a week or two.. I wouldn''t want

Dave McGuire writes: >> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets >> >> then setup fail2ban to manage extrafields > > Now that's a very interesting idea, thank you! I will investigate this. If you don't expect yor firewall to handle 45K+ IPs, I'm not how you expect dovecot will handle a comma separated string with 45K+ entries any

Does anyone know of a script that can act as a "helper" for Shorewall''s dynamic blacklist capabilities? Briefly said, I''d like to know if someone already wrote a script/program that, e.g., parses log files (/var/log/messages, etc) and picks up for example all IP addresses that failed SSH login more than X times and then executes a command such as shorewall drop

On Fri, 12 Apr 2019, mj wrote: > What we do is: use https://github.com/trick77/ipset-blacklist to block IPs > (from various existing blacklists) at the iptables level using an ipset. "www.blocklist.de" is a nifty source. Could you suggest other publically available blacklists? > That way, the known bad IPs never even talk to dovecot, but are dropped > immediately. We

Hi all, Just out of curiosity: is there anything we can do, on the samba side, to counter the recent ransomware attacks? (or limit the damage done) I'm thinking like: limit the number of files per second a client (workstation) is allowed to edit, or some other smart tricks..? It would be nice if samba could be an extra layer of defense. Something perhaps a vfs module could help with..?

Some lists and emails are distributed via ns1.samba.org. For those of you that use ORBS, you'll find it is blacklisted now. There is no mention of it on the website and it doesn't return a positive when you enter it for testing but it has slipped into the ORBS blacklist somewhere. Samba.org admins may wish to force all ns1 outbound email via another netblock, bringing it up to ORBS only

Hi, how can a specific device driver in CentOS 7 be blacklisted, so that it doesn't load at boot time? We have Infiniband adapters which are not completely supported by CentOS and we want to silence the error messages for the time being. I tried with the files /etc/modprobe.d/blacklist /etc/modprobe.d/blacklist.conf and with entries mlx5_core mlx5_ib blacklist

-------- Original Message -------- Subject: Re: [CentOS] ipset and blacklisting From: "Albert McCann" <mac358 at newsguy.com> Date: Wed, September 21, 2016 5:34 am To: "'CentOS mailing list'" <centos at centos.org> How are you saving and reloading the ipsets over a reboot? > -----Original Message----- > From: centos-bounces at centos.org

On 12/04/2019 08:42, Aki Tuomi via dovecot wrote: > On 12.4.2019 10.34, James via dovecot wrote: >> On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: >> >>> Weakforced uses Lua so you can easily integrate DNSBL support into it. >> How does this help Dovecot block? >> A link to some documentation or example perhaps? >> >> >