Connection throttling POP3.

Mogens Melander mogens at fumlersoft.dk
Tue May 22 04:11:16 EDT 2007 

You need -I to make shure the rule get inserted before any accept.
$EXTIF is your interface facing "the bad guys".

    iptables -I INPUT   -i $EXTIF -s $IP -j DROP
    iptables -I FORWARD -i $EXTIF -s $IP -j DROP

On Mon, May 21, 2007 21:43, Jonathan Villa wrote:
> For a temporary solution... use IPTABLES
>
> iptables -s 83.209.35.32 -j DROP
>
> or something like that.  I think that will drop ALL connections from the
> IP.
>
>
> ----- Original Message -----
> From: Matthew Schumacher <matt.s at aptalaska.net>
> Sent: Mon, 5/21/2007 2:40pm
> To: info-cyrus at lists.andrew.cmu.edu
> Subject: Connection throttling POP3.
>
> List,
>
> I'm getting some spammer trying to guess usernames and passwords:
>
> May 21 11:01:55 larry pop3[5845]: badlogin: [83.209.35.32] plaintext bob
> SASL(-13): authentication failure: checkpass failed
> May 21 11:01:54 larry pop3[5860]: badlogin: [83.209.35.32] plaintext
> complaints SASL(-13): authentication failure: checkpass failed
> May 21 11:01:56 larry pop3[5922]: badlogin: [83.209.35.32] plaintext
> diablo SASL(-13): authentication failure: checkpass failed
> May 21 11:01:58 larry pop3[5924]: badlogin: [83.209.35.32] plaintext
> darren SASL(-13): authentication failure: checkpass failed
> May 21 11:02:00 larry pop3[5927]: badlogin: [83.209.35.32] plaintext
> dallas SASL(-13): authentication failure: checkpass failed
> May 21 11:02:00 larry pop3[5939]: badlogin: [83.209.35.32] plaintext
> edgar SASL(-13): authentication failure: checkpass failed
> May 21 11:02:01 larry pop3[5945]: badlogin: [83.209.35.32] plaintext
> cristopher SASL(-13): authentication failure: checkpass failed
> May 21 11:02:02 larry pop3[5965]: badlogin: [83.209.35.32] plaintext
> easter SASL(-13): authentication failure: checkpass failed
> May 21 11:02:10 larry pop3[5964]: badlogin: [83.209.35.32] plaintext
> felicia SASL(-13): authentication failure: checkpass failed
>
> And this spammer is racking up a zillion processes which is killing my
> machine.  I need a way to throttle this somehow where he is only allowed
> one connection per IP at a time, or perhaps a way to ignore them after
> so many invalid passwords.
>
> Anyone know of a way to do this?
>
> schu
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
> --
> This message has been scanned for viruses and
> dangerous content by OpenProtect(http://www.openprotect.com), and is
> believed to be clean.
>
>


-- 
Later

Mogens Melander
+45 40 85 71 38
+66 870 133 224



-- 
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.

More information about the Info-cyrus mailing list