[BlueOnyx:13106] Re: dovecot not registering with failed logins?

Chuck Tetlow chuck at tetlow.net
Sat May 25 22:11:48 -05 2013 

That IP Tables rule won't work.  You're missing the rule number, and have the wrong rule name.  And the "-d 0/0" isn't really needed - it means " whole world" and is assumed if not given.

In BlueOnyx, the chain name to add the rule to is "acctin" - which filters the inbound traffic.  And the chain name must be followed by the line number to insert the rule (hence the capital I = insert).  Try this "iptables -I acctin 1 -s 117.79.91.80 -j DROP".  That will quickly and simply block anything from that one IP address. 

But if you see more than one IP on that same network (like 117.79.91.80 and 117.79.91.82) - it means more than one machine on that network is being used for hacking.  Instead of putting in multiple rules, just change the last octet in the IP to 0 and add a "/24" (example -s 117.78.91.0/24) - which will block everything on that network.

After entering the rules - you can confirm they are in the chain with "iptables -L -n".  Look at the first rule in the "acctin" chain to be sure your new rule is there.  And add a -v (iptables -L -n -v) if you want to see how many packets hit that rule and are blocked.

Chuck

---------- Original Message -----------
From: Gerald Waugh <gwaugh at frontstreetnetworks.com> 
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it> 
Sent: Fri, 24 May 2013 11:06:37 -0500 
Subject: [BlueOnyx:13103] Re: dovecot not registering with failed logins?

> /sbin/iptables -I INPUT -s 117.79.91.80 -d 0/0 -j DROP 
> 
> On 05/24/2013 10:45 AM, Roy Urick wrote: 
> > ran Pam_abl. doesnt make sense to me. I would expect the hits at the top 
> > to register under failed hosts. 
> > 
> > May 24 11:26:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<vinnie at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:26:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<viola at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:26:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<violet at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:27:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<violeta at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:27:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<virgil at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:27:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<virginia at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:28:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<vivian at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:28:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<vivianne at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:28:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<vlad at fire-house.net>, method=PLAIN, rip=117.79.91.80, 
> > lip=172.16.102.252 
> > May 24 11:29:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<vladimir at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:29:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<wade at fire-house.net>, method=PLAIN, rip=117.79.91.80, 
> > lip=172.16.102.252 
> > May 24 11:29:51 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<walker at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:30:11 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<wallace at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:30:31 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<wally at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > May 24 11:30:51 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<walt at fire-house.net>, method=PLAIN, rip=117.79.91.80, 
> > lip=172.16.102.252 
> > May 24 11:31:11 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> > 1 attempts): user=<walter at fire-house.net>, method=PLAIN, 
> > rip=117.79.91.80, lip=172.16.102.252 
> > ^C 
> > [root at BlueOnyx log]# pam_abl 
> > Failed users: 
> >      admin (3) 
> >          Not blocking 
> >      drew (6) 
> >          Not blocking 
> > Failed hosts: 
> >      gw.koorsen.com (3) 
> >          Not blocking 
> > [root at BlueOnyx log]# 
> > 
> > as a side note, my sonicwall already set to "deny any" from that IP, but 
> > traffic still flows.  grrr! 
> > 
> > On 5/24/2013 10:21 AM, Eric Peabody wrote: 
> >> Roy, 
> >> 
> >> Your server's settings will determine if this attack will be blocked. 
> >> Check under Security/Login Manager and see the Host rules.  They may 
> >> need to be adjusted. 
> >> 
> >> If that looks ok, try running pam_abl as root from the command line and 
> >> see if you get any errors.  If you do, you may need to delete the files 
> >> it uses.  If you delete the files, they will be recreated 
> >> automatically.  I mention this because I've seen these files become 
> >> corrupted and deleting them was the only fix I could find. 
> >> 
> >> Eric 
> >> 
> >> On 5/24/13 8:46 AM, Roy Urick wrote: 
> >>> during troubleshooting of a new server install, I noticed one single IP 
> >>> slowly doing a dictionary attack of sorts against pop. (one attempt 
> >>> every 30-6 seconds, user name is incrementing alphabetically) 
> >>> 
> >>> Even though I see all of these attempts from the one IP, that host isnt 
> >>> showing in the failed logins GUI. Normal? 
> >>> _______________________________________________ 
> >>> Blueonyx mailing list 
> >>> Blueonyx at mail.blueonyx.it 
> >>> http://mail.blueonyx.it/mailman/listinfo/blueonyx 
> >> _______________________________________________ 
> >> Blueonyx mailing list 
> >> Blueonyx at mail.blueonyx.it 
> >> http://mail.blueonyx.it/mailman/listinfo/blueonyx 
> > _______________________________________________ 
> > Blueonyx mailing list 
> > Blueonyx at mail.blueonyx.it 
> > http://mail.blueonyx.it/mailman/listinfo/blueonyx 
> > 
> 
> -- 
> Gerald Waugh 
> Front Street Networks 
> (318) 734-4779 
> (318) 401-0428 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at mail.blueonyx.it 
> http://mail.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130525/e9481113/attachment.html>

More information about the Blueonyx mailing list