Connection throttling POP3.
Andrew Morgan
morgan at orst.edu
Mon May 21 15:53:13 EDT 2007
On Mon, 21 May 2007, Matthew Schumacher wrote:
> List,
>
> I'm getting some spammer trying to guess usernames and passwords:
>
> May 21 11:01:55 larry pop3[5845]: badlogin: [83.209.35.32] plaintext bob
> SASL(-13): authentication failure: checkpass failed
> May 21 11:01:54 larry pop3[5860]: badlogin: [83.209.35.32] plaintext
> complaints SASL(-13): authentication failure: checkpass failed
> May 21 11:01:56 larry pop3[5922]: badlogin: [83.209.35.32] plaintext
> diablo SASL(-13): authentication failure: checkpass failed
> May 21 11:01:58 larry pop3[5924]: badlogin: [83.209.35.32] plaintext
> darren SASL(-13): authentication failure: checkpass failed
> May 21 11:02:00 larry pop3[5927]: badlogin: [83.209.35.32] plaintext
> dallas SASL(-13): authentication failure: checkpass failed
> May 21 11:02:00 larry pop3[5939]: badlogin: [83.209.35.32] plaintext
> edgar SASL(-13): authentication failure: checkpass failed
> May 21 11:02:01 larry pop3[5945]: badlogin: [83.209.35.32] plaintext
> cristopher SASL(-13): authentication failure: checkpass failed
> May 21 11:02:02 larry pop3[5965]: badlogin: [83.209.35.32] plaintext
> easter SASL(-13): authentication failure: checkpass failed
> May 21 11:02:10 larry pop3[5964]: badlogin: [83.209.35.32] plaintext
> felicia SASL(-13): authentication failure: checkpass failed
>
> And this spammer is racking up a zillion processes which is killing my
> machine. I need a way to throttle this somehow where he is only allowed
> one connection per IP at a time, or perhaps a way to ignore them after
> so many invalid passwords.
>
> Anyone know of a way to do this?
You can use tcp-wrappers to block connections from that IP address
entirely. I believe there are also some solutions to monitor connections
and automatically add IP addresses to the /etc/hosts.deny file, but I've
never used them myself.
Andy
More information about the Info-cyrus
mailing list