similar to: Dovecot under brute force attack - nice attacker

Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. Dovecot Version 1.0.7 (CentOS 5.2) The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like

Looks like we are under a dictionary login attack on our POP server: Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun

Why do attacks from the Internet get shown in the Asterisk logs with myAsteriskServerIP instead of the attacker's IP?! Really useful for blocking them, that is... Example: [Mar 6 00:00:00] NOTICE[1926] chan_sip.c: Failed to authenticate user 5550000<sip:5550000 at myAsteriskServerIP>;tag=ab8537ae (I replaced our IP address with myAsteriskServerIP. The attacks are not coming from

Message-ID: <479F2A63.2070408 at centos.org> On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes <johnny at centos.org> Subject Was: [CentOS] Unknown rootkit causes compromised servers > > SOME of the script kiddies check higher ports for SSH *_BUT_* I only see > 4% of the brute force attempts to login on ports other than 22. > > I would say that dropping brute force

Dear CentOS Community Is totally clear there's no support sendmail platform today, but I need to stop SMTP brute-force attack on sendmail. My server is attacked today, my maillog look like : 4624 at myserver.com>, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1] Jun 14 19:07:01 at6412 sendmail[24627]: q5EN71jC024627: from=<>, size=3958, class=0, nrcpts=1,

Hello, yesterday one of the extensions on my asterisk server got compromised by brute-force attack. The attacker used it to try pull an identity theft scam playing a recording from a bank "your account has been blocked due to unusual activity, please call this number..." Attacker managed to make lots of calls for around 8 hours before I detected it and changed the password for that

Hi List, Centos 5(.2) ships with dovecot-1.0.7-2.el5 and logwatch-7.3-6.el5 However the shipped logwatch is not aware of dovecot 1.x meaning none of the log entries (var/log/maillog) are processed at all. Should I file a bug report on this? Upstream? cheers Henry

Hi list, should it be possible to scp a partition with this command: scp /dev/sda7 backupserver:/backup/sda7.img I always get "not a regular file" - which is a clear and understandable error, but my googling tells me that some people are doing this - and it seems to work - at least at their systems. I know that I can avoid this by simply doing dd if=/dev/sda7 | ssh backupserver dd

Any BFD/AFP softwares available for FreeBSD 4.10? Im getting flooded with ssh and ftp attempts.

fail2ban might be good for this. On 04/05/2011 01:00 PM, asterisk-users-request at lists.digium.com wrote: > > Date: Tue, 5 Apr 2011 08:44:41 -0700 (PDT) > From: Steve Edwards<asterisk.org at sedwards.com> > Subject: Re: [asterisk-users] Iptables configuration to handle brute > force registrations? > > On Tue, 5 Apr 2011, Gilles wrote: > >> I'm no expert

Hello, I have a question about how to plot a series of data. The folloqing is my data matrix of n > n 25p 5p 2.5p 0.5p 16B-E06.g 45379 4383 5123 45 16B-E06.g 45138 4028 6249 52 16B-E06.g 48457 4267 5470 54 16B-E06.g 47740 4676 6769 48 37B-B02.g 42860 6152 19276 72 35B-A02.g 48325 12863 38274 143 35B-A02.g 48410 12806 39013 175 35B-A02.g 48417 9057 40923

On Sat, 9 Sep 2023 14:01:34 -0400 Rob Campbell via samba <samba at lists.samba.org> wrote: > > Why can it not find a DC ? Is there a firewall or similar running ? > > > > I have opened the firewall on the DC. Which ports do I need to open > on the DM? Apparently I have nothing opened on the DM but I opened > the required ports according to >

On Fri, 12 Apr 2019, mj wrote: > What we do is: use https://github.com/trick77/ipset-blacklist to block IPs > (from various existing blacklists) at the iptables level using an ipset. "www.blocklist.de" is a nifty source. Could you suggest other publically available blacklists? > That way, the known bad IPs never even talk to dovecot, but are dropped > immediately. We

[Sat Sep 09 15:09:09] [root at D01~/.bin$]net ads join -U administrator Password for [HOME\administrator]: get_kdc_ip_string: get_kdc_list (site-less) fail NT_STATUS_NO_LOGON_SERVERS kerberos_kinit_password administrator at HOME.ROB-CAMPBELL.LAN failed: Cannot contact any KDC for requested realm kerberos_kinit_password D01$@HOME.ROB-CAMPBELL.LAN failed: Cannot contact any KDC for requested realm

I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server. Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything. It doesn't look like I can

I want to call rsync from java webserver in Linux. situation as below: source directory: 001.doc 002.doc /D01/001.doc /D01/002.doc /D01/D11/001.doc /D02/001.doc destination directory: 001.doc 003.doc 004.doc /D01/001.doc /D01/003.doc /D01/004.doc /D01/D11/003.doc /D02/003.doc now, I want to only delete /003.doc when synchronization, no add, no update, This exclude works: rsync -avzu

We have several web applications deployed under Apache that require a user id / password authentication. Some of these use htdigest and others use the application itself. Recently we have experienced several brute force attacks against some of these services which have been dealt with for the nonce by changes to iptables. However, I am not convinced that these changes are the answer. Therefore

On Sat, 9 Sep 2023 11:29:53 -0400 Rob Campbell via samba <samba at lists.samba.org> wrote: > > > > It looks like DNS is failing, does /etc/resolv.conf look like this: > > > > search home.rob-campbell.lan > > nameserver A.DC.IPADDRESS > > > > This is what it looks like in this order (if that matters) > nameserver 10.0.0.10 > nameserver

For many years I've been running ssh reverse tunnels on portable Linux, OpenWRT, Android etc. hosts so they can be accessed from a server whose IP is stable (I call such a server a "nexus host"). Increasingly there's a problem with brute force attacks on the nexus host's tunnel ports. The attack is forwarded to the portable tunneling host, where it fails, but it chews up

On Sat, 9 Sep 2023 15:11:20 -0400 Rob Campbell via samba <samba at lists.samba.org> wrote: > [Sat Sep 09 15:09:09] [root at D01~/.bin$]net ads join -U administrator > Password for [HOME\administrator]: > get_kdc_ip_string: get_kdc_list (site-less) fail > NT_STATUS_NO_LOGON_SERVERS kerberos_kinit_password > administrator at HOME.ROB-CAMPBELL.LAN failed: Cannot contact any KDC