Connection throttling POP3.
Philip H. O'Neill
poneill at oneillsystems.com
Tue May 22 10:34:57 EDT 2007
We do the same but there is an issues.
One File::Tail delays polling the log for up to 30 seconds unless you
tell it otherwise. So it will allow a number of attempts before reading
the log. If you increase the polling you add load to the system. Not
much but some.
We like the idea of adding the timer to iptables along with logging so
the address can be tracked. If the address comes back then it can be
added to a permanent block.
On Mon, 2007-05-21 at 21:12, Robert Banz wrote:
> On May 21, 2007, at 21:50, Daniel O'Connor wrote:
> > On Tuesday 22 May 2007 05:10, Matthew Schumacher wrote:
> >> I'm getting some spammer trying to guess usernames and passwords:
> > I use the following to protect my SSH server (well not the SSH server
> > per se, just me reading logfiles the next day)
> > http://www.gsoft.com.au/~doconnor/brute-force-mitigation.html
> > Needs PF though.
> I take the approach of having a perl script (yay! File::Tail) sit and
> watch the logs on each server looking for signs of ssh (could easily
> be used for other things like pop as well) brute force attacks. A
> certain # of failed logins in a time window from a single IP will
> cause that IP to get blocked by ipfilter for an appropriate period of
> time, after which the block is removed. This stops most of your
> brute-force guessers; after a few tries of having their packets end
> up on the floor, they go away.
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus