<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="OPENWEBMAIL" name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
That IP Tables rule won't work. You're missing the rule number, and have the wrong rule name. And the "-d 0/0" isn't really needed - it means " whole world" and is assumed if not given.
<br />
<br />In BlueOnyx, the chain name to add the rule to is "acctin" - which filters the inbound traffic. And the chain name must be followed by the line number to insert the rule (hence the capital I = insert). Try this "iptables -I acctin 1 -s 117.79.91.80 -j DROP". That will quickly and simply block anything from that one IP address.
<br />
<br />But if you see more than one IP on that same network (like 117.79.91.80 and 117.79.91.82) - it means more than one machine on that network is being used for hacking. Instead of putting in multiple rules, just change the last octet in the IP to 0 and add a "/24" (example -s 117.78.91.0/24) - which will block everything on that network.
<br />
<br />After entering the rules - you can confirm they are in the chain with "iptables -L -n". Look at the first rule in the "acctin" chain to be sure your new rule is there. And add a -v (iptables -L -n -v) if you want to see how many packets hit that rule and are blocked.
<br />
<br />
<br />Chuck
<br />
<br /><font size="2">
<br />
<br /><b>---------- Original Message
-----------</b>
<br />
From: Gerald Waugh <gwaugh@frontstreetnetworks.com>
<br />
To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it>
<br />
Sent: Fri, 24 May 2013 11:06:37 -0500
<br />
Subject: [BlueOnyx:13103] Re: dovecot not registering with failed logins?
<br />
<br />> /sbin/iptables -I INPUT -s 117.79.91.80 -d 0/0 -j DROP
<br />>
<br />>
On 05/24/2013 10:45 AM, Roy Urick wrote:
<br />>
> ran Pam_abl. doesnt make sense to me. I would expect the hits at the top
<br />>
> to register under failed hosts.
<br />>
>
<br />>
> May 24 11:26:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<vinnie@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:26:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<viola@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:26:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<violet@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:27:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<violeta@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:27:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<virgil@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:27:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<virginia@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:28:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<vivian@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:28:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<vivianne@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:28:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<vlad@fire-house.net>, method=PLAIN,
rip=117.79.91.80,
<br />>
> lip=172.16.102.252
<br />>
> May 24 11:29:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<vladimir@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:29:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<wade@fire-house.net>, method=PLAIN,
rip=117.79.91.80,
<br />>
> lip=172.16.102.252
<br />>
> May 24 11:29:51 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<walker@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:30:11 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<wallace@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:30:31 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<wally@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> May 24 11:30:51 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<walt@fire-house.net>, method=PLAIN,
rip=117.79.91.80,
<br />>
> lip=172.16.102.252
<br />>
> May 24 11:31:11 BlueOnyx dovecot: pop3-login: Disconnected (auth failed,
<br />>
> 1 attempts): user=<walter@fire-house.net>, method=PLAIN,
<br />>
> rip=117.79.91.80, lip=172.16.102.252
<br />>
> ^C
<br />>
> [root@BlueOnyx log]# pam_abl
<br />>
> Failed users:
<br />>
> admin (3)
<br />>
> Not blocking
<br />>
> drew (6)
<br />>
> Not blocking
<br />>
> Failed hosts:
<br />>
> gw.koorsen.com (3)
<br />>
> Not blocking
<br />>
> [root@BlueOnyx log]#
<br />>
>
<br />>
> as a side note, my sonicwall already set to "deny any" from that
IP, but
<br />>
> traffic still flows. grrr!
<br />>
>
<br />>
> On 5/24/2013 10:21 AM, Eric Peabody wrote:
<br />>
>> Roy,
<br />>
>>
<br />>
>> Your server's settings will determine if this attack will be blocked.
<br />>
>> Check under Security/Login Manager and see the Host rules. They
may
<br />>
>> need to be adjusted.
<br />>
>>
<br />>
>> If that looks ok, try running pam_abl as root from the command line and
<br />>
>> see if you get any errors. If you do, you may need to delete the
files
<br />>
>> it uses. If you delete the files, they will be recreated
<br />>
>> automatically. I mention this because I've seen these files
become
<br />>
>> corrupted and deleting them was the only fix I could find.
<br />>
>>
<br />>
>> Eric
<br />>
>>
<br />>
>> On 5/24/13 8:46 AM, Roy Urick wrote:
<br />>
>>> during troubleshooting of a new server install, I noticed one
single IP
<br />>
>>> slowly doing a dictionary attack of sorts against pop. (one attempt
<br />>
>>> every 30-6 seconds, user name is incrementing alphabetically)
<br />>
>>>
<br />>
>>> Even though I see all of these attempts from the one IP, that host
isnt
<br />>
>>> showing in the failed logins GUI. Normal?
<br />>
>>> _______________________________________________
<br />>
>>> Blueonyx mailing list
<br />>
>>> Blueonyx@mail.blueonyx.it
<br />>
>>> <a target="_blank" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
<br />>
>> _______________________________________________
<br />>
>> Blueonyx mailing list
<br />>
>> Blueonyx@mail.blueonyx.it
<br />>
>> <a target="_blank" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
<br />>
> _______________________________________________
<br />>
> Blueonyx mailing list
<br />>
> Blueonyx@mail.blueonyx.it
<br />>
> <a target="_blank" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
<br />>
>
<br />>
<br />>
--
<br />>
Gerald Waugh
<br />>
Front Street Networks
<br />>
(318) 734-4779
<br />>
(318) 401-0428
<br />>
_______________________________________________
<br />>
Blueonyx mailing list
<br />>
Blueonyx@mail.blueonyx.it
<br />>
<a target="_blank" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
<br /><b>------- End of Original Message
-------</b>
<br />
</font>
</BODY>
</HTML>