similar to: Harvesting and Dictionary attacks

Hi has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs? i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls * add the IP to a distributed "iptables-block.sh" and distribute it to any

Hi, Does anyone know how I can monitor our server's for blacklisting? We run a large amount of shared hosting & reseller hosting servers and from time to time one of the IP's will get blacklisted. I'm looking for a way to be notified if any of our IP's get blacklisted. Is this possible? -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog:

> On 22. Apr 2020, at 19.14, Michael Peddemors <michael at linuxmagic.com> wrote: > The three most common attack vectors, (and attack volumes have never been higher) are: > > * Sniffed unencrypted credentials > (Assume every home wifi router and CPE equipment are compromised ;) > * Re-used passwords where data is exposed from another site's breach > (Users WANT to

Hi, I been using dovecot for awhile and its been solid, however I been having some issues with dictionary attacks. I installed fail2ban and for the most part is working fine. However today I got another spammer relaying through my server. Looking at the logs I see the following dictonary attack from 94.242.206.37 Nov 10 03:04:38 pop dovecot: pop3-login: Disconnected: rip=94.242.206.37,

Hi all, ?Is there any app like denyhosts[1] but intended for MySQLd service? We have a mysql ports (3306) opened for remote connections, and obviously the /var/db/mysql/machine_name.log is full of these kind of entries: ........... 936012 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936013 Connect Access denied for user

Dear Colleagues, I hope to know how ordinal logistic regression with a mixed model is made in R. We (My colleague and I) are studying the behavior of a beetle. The attraction of beetles to a stimulus are recorded: the response is Slow, Mid, or Fast. They are based on the time after the presentation of the stimulus to the beetles. Because we do not observe the behavior continuously but do

Dear Community Friends Greetings, i work with ISP, we host email service for almost 500+ companies and 200+ mail servers relay through my smart host. i implemented something that when our smart host would become blacklisted. It will automatic switch to next available smart host (which is ready sitting). that mean it will start relaying message through another smart host automatically. i think i

Mike Lander wrote: > I am building a shorewall box that the last post has the SSH error and > wanted > some feedback from the list if possible. At first I thought the two ISP''s > I > building this > for had two T-1''s with FQ ip''s as it. I have the box built for this ready > to > go. > Now I find out that one of the T-1''s is

Hi, FYI, I started receiving spam to the email address I use only for this mailing-list, about one week after I posted a couple messages onto it. So the nut mailing-list is definitely used by spammers for email addresses harvesting :-( -- Michel Bouissou <michel at bouissou.net> OpenPGP ID 0xEB04D09C

after having my own dnsbl feeded by a honeypot and even mod_security supports it for webservers i think dovecot sould support the same to prevent dictionary attacks from known bad hosts, in our case that blacklist is 100% trustable and blocks before SMTP-Auth while normal RBL's are after SASL i admit that i am not a C/C++-programmer, but i think doing the DNS request and in case it has a

I'm seeing strings of failed POP3 login attempts with obvious bogus usernames coming from different IP addresses. Today's originated from 216.31.146.19 (which resolves to neovisionlabs.com). This looks like a botnet attack. I got a similar probe a couple days ago. Is anyone else seeing these? The attack involves trying about 20 different names, about 3-4 seconds apart. Here's a

I'm hoping to take advantage of authentication caching via dovecot-auth. I see that posfix can communicate with Dovecot-Auth, via SASL, but from what I can see, postfix only does this for authentication checks. Not 100% sure how postfix handles virtual_transport (I assume it needs to do a lookup via virtual_mailbox_maps), but I can't see anyway to get virtual_mailbox_maps to use

I keep seeing 'Joe Average compromised computer on broadband' being used to do email dictionary attacks on our systems. Seems I always have several domains going through these. One in particular has been in the 'a-' list for weeks with about 20,000 attempts per day from various systems. Yeah, I do have a system which blocks email from these systems for a period of time after 3

Everyone: We're starting to see a rash of password guessing attacks via SSH on all of our exposed BSD servers which are running an SSH daemon. They're coming from multiple addresses, which makes us suspect that they're being carried out by a network of "bots" rather than a single attacker. But wait... there's more. The interesting thing about these attacks is that

The 2.6 kernel series includes Netfilter ''physdev'' match support. That support makes it feasible for Shorewall to support bridge/firewall configurations. I''m looking for early testers of such support. Requirements: a) Willing to run Shorewall 2.0.0-RC1 or later (RC1 will be released in a day or so) plus private updates. b) Running a 2.6 kernel or a 2.4 kernel with

Hello all i have postfix running with dovecot-sasl and mysql as a backend. It all runs good. I run into trouble as where outlook 2003 fails to authenticate when sending e-mail. I have thunderbird outlook2007 and 2003 clients. The tunderbird and 2007 clients are working OK, the outlook2003 client get the relay access denied message. In the postfix log i see it is not initiating sasl they all

I'm trying to get usable reports out of logwatch on this new system. Looks like the reports are running in an 'unformatted' mode under Postfix/Amavisd. I found a couple of programs, postfix-logwatch and amavisd-logwatch. These sound promising. I am running Amavisd as the frontend to Postfix. Is anybody running either of these as a logwatch filter? If so, is it repetitive to run

I have had a web server listining sql-1433, www 80, ftp-21 using proxy arp with sub-netting in a three interface DMZ. All these ports are in the rules file as ACCEPT. With one exeception that 1433 allows a few host from the net. 21 and 80 allow all net to dmz connections. The policy is DMZ to net ACCEPT This has been working great for about a month or more until I rebooted the

Hey Tom, I have successfully set up to servers on a Dmz practice network woohoo :). If I take out the proxyarp option in /etc/shorewall/interfaces Then Dmz can ping outside ip''s on the net but not and of my servers on network 66.224.62.96/27 (Other than its own gateway server 66.224.62.120) The reason I ask is to learn. I thought I would not need the proxyarp option for this to

I am runnig posfix on Centos 4.4 as a Mailgateway. It only accepts mails for domains and then forwards mails to Lotus domino Server. All clients sends outgoing mails to that Lotus domino Server. Then , That Lotus Domino Server sends mails to Postfix mailgateway. This postfix mailgateway sends mails to all the destinations. But, This Postfix mailgateway has about 150 messages in the mailq. Some