[gentoo-user] User & password scanning on pop3

[gentoo-user] User & password scanning on pop3

[Rod]

     Hi,

     Does anyone know how to block, or auto programs in Gentoo to limit 
or stop people scanning for a user/password hacking on your firewall?

     Besides disabling those ports, I still need the port accessable 
from the outside, and I guess they'd just try imap if pop was blocked.

     I'm running iptables, postfix & courier

     This has been ongoing in excess of 12 Hrs now...

> Jun 17 10:25:20 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:21 jumpgate pop3d: LOGIN FAILED, user=dave, 
> ip=[::ffff:93.186.195.234]
> Jun 17 10:25:26 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:27 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:27 jumpgate pop3d: LOGIN FAILED, user=dave, 
> ip=[::ffff:93.186.195.234]
> Jun 17 10:25:33 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:33 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:34 jumpgate pop3d: LOGIN FAILED, user=dave, 
> ip=[::ffff:93.186.195.234]
> Jun 17 10:25:39 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:39 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:40 jumpgate pop3d: LOGIN FAILED, user=dave, 
> ip=[::ffff:93.186.195.234]
> Jun 17 10:25:45 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:46 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:46 jumpgate pop3d: LOGIN FAILED, user=dave, 
> ip=[::ffff:93.186.195.234]
> Jun 17 10:25:52 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:52 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:53 jumpgate pop3d: LOGIN FAILED, user=dave, 
> ip=[::ffff:93.186.195.234]
> Jun 17 10:25:58 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:58 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]
> Jun 17 10:25:59 jumpgate pop3d: LOGIN FAILED, user=dave, 
> ip=[::ffff:93.186.195.234]
> Jun 17 10:26:04 jumpgate pop3d: Disconnected, ip=[::ffff:93.186.195.234]
> Jun 17 10:26:05 jumpgate pop3d: Connection, ip=[::ffff:93.186.195.234]

Re: [gentoo-user] User & password scanning on pop3

[Alex Schuster]

Rod writes:

>      Does anyone know how to block, or auto programs in Gentoo to limit
> or stop people scanning for a user/password hacking on your firewall?

I am using net-analyzer/fail2ban. That can block an IP after some 
unsuccessful login attempts. This helps a lot, but not against bot nets, 
when every host tries for two times only.

>      Besides disabling those ports, I still need the port accessable
> from the outside, and I guess they'd just try imap if pop was blocked.

Could you change the port to something unusual, like 1100?

	Wonko

[gentoo-user] Re: User & password scanning on pop3

[Tobias R]

>      Hi,
>      Does anyone know how to block, or auto programs in Gentoo to
>      limit 
> or stop people scanning for a user/password hacking on your
> firewall? 

You may want to have a look at iptables and hashlimit, e.g. [1] (please 
note that I never tried this by myself).

1. http://seclists.org/fulldisclosure/2006/Feb/702

Tobias

Re: [gentoo-user] Re: User & password scanning on pop3

[Adam]

>>      Does anyone know how to block, or auto programs in Gentoo to
>>      limit 
>> or stop people scanning for a user/password hacking on your
>> firewall? 

fail2ban

Re: [gentoo-user] User & password scanning on pop3

[kashani]

On 6/16/2010 5:26 PM, Rod wrote:
>   Hi,
>
> Does anyone know how to block, or auto programs in Gentoo to limit or
> stop people scanning for a user/password hacking on your firewall?
>
> Besides disabling those ports, I still need the port accessable from the
> outside, and I guess they'd just try imap if pop was blocked.
>
> I'm running iptables, postfix & courier

	Have you considered changing over to pop3-ssl and imap-ssl? I fully 
switched over about six years ago and nearly every job I've had since 
has used SSL as well. I'd still recommend plain imap to be open on 
localhost for webmail to interact with it, but you should have far less 
problems. And less change of sniffers pulling user/pass from wireless 
connections in cafes.

kashani

Re: [gentoo-user] User & password scanning on pop3

[deface]

On Jun 20, 2010, at 6:43 PM, kashani wrote:

> On 6/16/2010 5:26 PM, Rod wrote:
>>  Hi,
>> 
>> Does anyone know how to block, or auto programs in Gentoo to limit or
>> stop people scanning for a user/password hacking on your firewall?
>> 
>> Besides disabling those ports, I still need the port accessable from the
>> outside, and I guess they'd just try imap if pop was blocked.
>> 
>> I'm running iptables, postfix & courier
> 
> 	Have you considered changing over to pop3-ssl and imap-ssl? I fully switched over about six years ago and nearly every job I've had since has used SSL as well. I'd still recommend plain imap to be open on localhost for webmail to interact with it, but you should have far less problems. And less change of sniffers pulling user/pass from wireless connections in cafes.
> 
> kashani
> 
> 
> -- 
> Powered by Flux Labs
> http://www.fluxlabs.net
> 


Try fail2ban

Re: [gentoo-user] User & password scanning on pop3

[Rod]

On 17/06/2010 10:26 AM, Rod wrote:
>     Hi,
>
>     Does anyone know how to block, or auto programs in Gentoo to limit 
> or stop people scanning for a user/password hacking on your firewall?


     Hi,

     Just a update, I found the program I had running "Fail2Ban" was 
broken, so I have fixed that, but also closed off the pop3 server for 
non "SSL" traffic...


     pop3 - closed
     pop3-ssl - open    certificates issued to both SSL users (pop/imap)
     imap-ssl open

Re: [gentoo-user] User & password scanning on pop3

[kashani]

On 6/20/2010 5:06 PM, deface wrote:

> Try fail2ban

How about reading the whole thread before posting a one liner?

kashani