Article 13660 at 08/07/31 23:43:01 From: kenmarcus (at mark) precisionweb.net Subject: [coba-e:13660] Re: Dovecot/POP3 Flood

Index: [Article Count Order] [Thread]
Date:  Thu, 31 Jul 2008 07:42:38 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark) precisionweb.net>
Subject:  [coba-e:13660] Re: Dovecot/POP3 Flood
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <02a001c8f31b$b16ee300$6601a8c0@OfficeKen>
References:  <200807310015.m6V0FS7S049132 (at mark) info.eis.net.au>
X-Mail-Count: 13660


>> ----- Original Message ----- 
>> From: "Robert Fitzpatrick" <lists (at mark) webtent.net>
>> To: "BlueQuartz" <coba-e (at mark) bluequartz.org>
>> Sent: Tuesday, July 22, 2008 6:57 PM
>> Subject: [coba-e:13590] Dovecot/POP3 Flood
>>
>>
>> > I've seen some talk about Dovecot repeating password prompts on the 
>> > list
>> > and while this happens to us from time to time, the procedure for
>> > restarting some things along with dbrecover always seems to work.
>> > Tonight I had two servers do it at the same time, so I'm assuming a
>> > flood/attack of some sort?
>> >
>> > Is there any recommended way or dovecot settings to avoid this from
>> > happening?
>> >
>> > -- 
>>
>> Robert
>>
>>
>> I think you need to install software that will check for brute force 
>> attacks
>> and block that IP.
>>
>> Then also the flat file conversion is a very good idea.
>>
>>
On a similar topic, does anyone know of a script that will block brute force
attacks on the ssh port?

- Ernie.



Ernie

If you run the commands below it will install the APF  firewall and the BFD 
brute force detection.

####################################################################

cd ~admin

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar xzvpf apf-current.tar.gz

cd apf-0.9.6-3

./install.sh



#  Then edit the /etc/apf/conf.apf   to change the  IG_TCP_CPORTS  line 
from
#  22
#  to
# 
21,22,23,25,53,80,110,143,443,81,444,465,587,783,873,993,995,5100,60000_60019
#  and  edit IG_UDP_CPORTS to set it to
#  53,60000_60019
#  I set my proftpd.conf to use the  60000_60019  ports, that is why I have 
them open here.
#  and set   DEVEL_MODE   to   0



/etc/rc.d/init.d/apf restart

####################################################################

#BFD # http://www.webhostgear.com/60.html



cd ~admin

wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

tar -xvzf bfd-current.tar.gz

cd bfd-0.9

./install.sh

#   echo "some IP that you never want blocked  " >> 
/usr/local/bfd/ignore.hosts

wget http://www.r-fx.ca/downloads/sshd

mv -f sshd /usr/local/bfd/rules/

perl -p -i -e 's/grep -w proftpd/grep -w proftpd \| grep -v anonymous/g' 
/usr/local/bfd/rules/proftpd



That's it.



It will detect and block FTP and SSH attacks. But, not dovecot attacks. I 
think Michael Stauber sells a package that will block dovecot attacks.







----

Ken Marcus

Ecommerce Web Hosting by

Precision Web Hosting, Inc.

http://www.precisionweb.net