dealing with dictionary attacks

davor davor at oscecro.org
Mon Mar 5 12:24:48 CET 2007 

Why  don't you give a try  to   

 

 http://www.ossec.net/

 

Ossec  is doing   block with IPTABLES

 

 

Regards

 

davor

 

 

 


>>> Dhawal Doshy <dhawal at netmagicsolutions.com> 3/5/2007 11:46 AM >>>
--[ UxBoD ]-- wrote:
> On Mon, 05 Mar 2007 15:50:48 +0530
> Dhawal Doshy <dhawal at netmagicsolutions.com> wrote:
> 
>> --[ UxBoD ]-- wrote:
>>> On Mon, 05 Mar 2007 01:52:28 -0800
>>> Chris Yuzik <itdept at fractalweb.com> wrote:
>>>
>>>> We're beginning to really try to harden our external mail server. 
>>>> MailScanner is generally doing great.
>>>>
>>>> As I watch my maillog data flow up my screen, I'm seeing tons of "... 
>>>> User unknown" messages and many of them are coming from a handful of IP

>>>> addresses.Obviously, I would like the server's bandwidth and cpu cycles

>>>> to be used for more productive things than dealing with what is
(likely) 
>>>> a zombie machine running through a list of possible accounts at our
domain.
>>>>
>>>> Is there a trustworthy milter that will say, for example, "15 bad email

>>>> addresses to our server within an hour and bang...the sender is 
>>>> blacklisted for say 36 hours"?
>>>>
>>>> Thanks
>>> http://policyd.sourceforge.net <http://policyd.sourceforge.net/> 
>> You do not need a policy server for this.. simply use 
>> smtpd_hard_error_limit.. however from the OP's mail it looks like he is 
>> a sendmail user..
>>
>> Now for the OP:
>> Did you even google for "your_mta dictionary attack" before asking the 
>> list? for sendmail here are the first and second links from google.
>> http://www.technoids.org/dossed.html#3.2
>> http://notbrainsurgery.livejournal.com/23066.html
> Dhawal,
> 
> I agree that smtp_hard_error_limit could be used, but the OP is asking
about block the remote MTA for a period of time.
> Yes, it does like the OP is using Sendmail so Policyd would not work
anyway ;)

oops, as usual i love to be trigger happy..

SEC/Swatch can be used for something like this, example:
http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:yo
ur_own_onemore

You can eliminate the database and rbldnsd and start appending "IP:Deny 
#Timestamp" to /etc/mail/access (in the correct format for sendmail) and 
write another a cron script to cleanup older entries based on the timestamp.
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/39a1411f/attachment.html

More information about the MailScanner mailing list