[Dovecot] script to detect dictionary attacks
Reindl Harald
h.reindl at thelounge.net
Sun Apr 7 00:00:49 EEST 2013
Am 06.04.2013 22:55, schrieb Max Pyziur:
> On Sat, 6 Apr 2013, Reindl Harald wrote:
>> has someone a script which can filter out dictionary attacks
>> from /var/log/maillog and notify about the source-IPs?
>>
>> i know about fail2ban and so on, but i would like to have
>> a mail with the IP address for two reasons and avoid fail2ban
>> at all because it does not match in the way we maintain firewalls
>>
>> * add the IP to a distributed "iptables-block.sh" and distribute
>> it to any server with a comment and timestamp
>> * write a abuse-mail to the ISP
>
> Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating
> attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL
> (http://www.openbl.org/lists.html) does for ssh (primarily)?
>
> That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to
> populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that
> have open ports in the firewall
i don't know but in fact i want not rely on automatisms and blacklists
sometimes i recognize a dictionary attack because "tail -f" on the mailserver
is running in background and after come back from a cigarette break i look
a minute in the output and if i see attacks i add the IP after a whois to
"iptables-block.sh"
so i do not want to rely on automagic and if some IP is added to whatever
blacklist hours or days later, i want simply a one-time mail notify to
look NOW in maillog and take action or ignore it depending on the
count and source
if it is some ISP from a country far away -> block it
if it is the fivth attempt from this ISP -> block the whole subnet
if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130406/9a768a39/attachment.bin>
More information about the dovecot
mailing list