similar to: Securing http authentication from brute force attacks

Over the weekend one of our servers at a remote location was hammered by an IP originating in mainland China. This attack was only noteworthy in that it attempted to connect to our pop3 service. We have long had an IP throttle on ssh connections to discourage this sort of thing. But I had not considered the possibility that other services were equally at risk. Researching this on the web does

Message-ID: <479F2A63.2070408 at centos.org> On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes <johnny at centos.org> Subject Was: [CentOS] Unknown rootkit causes compromised servers > > SOME of the script kiddies check higher ports for SSH *_BUT_* I only see > 4% of the brute force attempts to login on ports other than 22. > > I would say that dropping brute force

Hi guys, I've planning out my upgrade to CentOS4 and one of my plans for security is to impliment the mod_security apache module to filter out unwanted malicious intent. Not having used it before, I wanted to see if anyone here has implimented it and did it block any legit traffic or cause resource traffic/serious slowdowns of their systems? I've asked on the forum about secure

CentOS-6.5 httpd-2.2.15 (centos) I am trying to understand how directory access control works in Apache-2.2. Does a means exist to revoke access in a subdirectory if access has been granted in a higher one? We restrict access to the entire site via htdigest but some directories are need to be further restricted by the group a user is assigned to. I have this situation: <Directory />

Hi, I'm currently fiddling with mod_security, and before going any further, I simply wanted to ask here for any recommended documentation/tutorials on the subject. There seems to be a lot of information about mod_security out there, and right now I have a bit of a hard time wrapping my head around it. I'm grateful for any suggestions. Cheers, Niki Kovacs -- Microlinux - Solutions

I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server. Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything. It doesn't look like I can

When a web site is attacked, so far by unsuccessful hackers, my error routine adds the attackers IP address, prefixed by 'deny', to that web site's .htaccess file. It works and the attacker, on second and subsequent attacks, gets a 403 error response. I want to extend the exclusion ability to every web site hosted on a server. My preferred method is iptables. However, when

For many years I've been running ssh reverse tunnels on portable Linux, OpenWRT, Android etc. hosts so they can be accessed from a server whose IP is stable (I call such a server a "nexus host"). Increasingly there's a problem with brute force attacks on the nexus host's tunnel ports. The attack is forwarded to the portable tunneling host, where it fails, but it chews up

I was hoping to set up fail2ban to block IP addresses that generate too many Samba password failures, but it needs a syslog message with the IP address of the computer that failed password authentication. Unfortunately, Samba doesn't seem to do this in my environment. Here's a sample error message: smbd[312]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User brutus ! I

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable

I want to add mod_security to my Apache server running CentOS 5.3 and am trying to find a repository to get it from. I found it in EPEL, but they have version 2.1.7, which is over a year old according to what I found on the modsecurity.org website. Is there a repository which is keeping this up to date? Or should I just build it from source? -- Bowie

Hi We've just noticed attempts (close to 200000 attempts, sequential peer numbers) at guessing peers on 2 of out servers and thought I'd share the originating IPs with the list in case anyone wants to firewall them as we have done 109.170.106.59 112.142.55.18 124.157.161.67 Ish -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 -------------- next part

Hello list. I'm trying to find a way to block any ip that tries to login more than three times with the wrong password and try to log in three different extensions. For I have suffered some brute force attacks on my asterisk in the morning period. The idea would be: Any ip with three attempts without success to log into an extension is blocked. Is there any way to accomplish this directly

I installed mod_security yesterday. Unbelievable the amount of crap it will stop in 24 hrs. Picked up the rpm at http://rpm.pbone.net This should be made part of the CentOS extra, contribs or whatever!!

after having my own dnsbl feeded by a honeypot and even mod_security supports it for webservers i think dovecot sould support the same to prevent dictionary attacks from known bad hosts, in our case that blacklist is 100% trustable and blocks before SMTP-Auth while normal RBL's are after SASL i admit that i am not a C/C++-programmer, but i think doing the DNS request and in case it has a

Hello, We're migrating a webserver from RedHat 7.x to CentOS 4.2. In the process, we'd like to improve security. We're currently planning on making sure SELinux is enabled, mounting the /tmp partition noexec, and running PHP in safe mode, hide_errors on, register_globals off by default. vsftpd is set to chroot logins. I've seen Apache run inside a chroot jail, but that

I was wondering if anyone had implemented rules like this in shorewall: http://blog.andrew.net.au/tech I see tons of brute force attempts on the machines I administer, and I like the idea of limiting them without the need for extra daemons scanning for attacks. Thanks, Dale -- Dale E. Martin - dale@the-martins.org http://the-martins.org/~dmartin

So I have this nice, simple web server up running. Its purpose is to allow me external testing with HIP, and to provide some files for external distribution. Of course, there it is sitting on port 80 and the attacks are coming in per logwatch report. Examples from the report include: Requests with error response codes 404 Not Found //phpMyAdmin-2.5.1/scripts/setup.php: 1

Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. Dovecot Version 1.0.7 (CentOS 5.2) The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like

Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted