On Sat, 6 Apr 2013, Reindl Harald wrote:
Am 06.04.2013 22:55, schrieb Max Pyziur:
On Sat, 6 Apr 2013, Reindl Harald wrote:
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL (http://www.openbl.org/lists.html) does for ssh (primarily)?
That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that have open ports in the firewall
i don't know but in fact i want not rely on automatisms and blacklists
CBL is fairly reliable; you can screen it based on originating countries (I use ip2cc available from perl-IP-Country-2.27-1.el6.noarch to find the originating country for particular ips). I'm tentatively using OpenBL to block dictionary attacks by way of ssh.
By way of logwatch, I see enough dictionary attacks on dovecot; I take those ips and hope to use them soon to block dovecot attacks. The problem is the "aging": there needs to be a mechanism that determines whether or not an ip continues to be a threat. The BLs are good for that - once an ip or, say, the first three octets, diminish in frequency of attacks, then based on some threshold that you set, you can remove that ip (or set of ips) as a hostile threat to a particular service that you are running on your server/servers.
sometimes i recognize a dictionary attack because "tail -f" on the mailserver is running in background and after come back from a cigarette break i look a minute in the output and if i see attacks i add the IP after a whois to "iptables-block.sh"
so i do not want to rely on automagic and if some IP is added to whatever blacklist hours or days later, i want simply a one-time mail notify to look NOW in maillog and take action or ignore it depending on the count and source
if it is some ISP from a country far away -> block it if it is the fivth attempt from this ISP -> block the whole subnet
if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP
I understand the logic; I set a low threshold to label something being a threat for anything originating in China; the threshold is higher for things closer to home, since most of the traffic to the one server I control is from there.
MP pyz@brama.com