For the paranoid (like myself), there's always fail2ban
( http://www.fail2ban.org/ ). It worked perfectly for me in stopping
bruteforce attacks on my ssh port.
Basically it monitors a log and bans (with iptables, for example) IPs
for a period of time after a certain number of authentication failures.
On Fri, 2007-09-28 at 07:06 -0400, Sam Varshavchik wrote:
Michelle Konzack writes:
Since arround one week I have very heavy Dictionary attacs (over 300000
per day from more then 7000 different IP's) on my courier-mta which
servs for 17.000 users in the french gov.
On the <exim-user> list they used the following to stop it.
But how can I do this with <courier-mta>?
I like to reduce the faild connection per IP to 10 per hour and I think,
this is enough to will heavy slow down the hack attempts...
There is no rate metering of this kind possible, but what exactly is the
negative impact from this? This is an average of three and a half probes per
second, which, if you weren't looking at the logs, you would've never
noticed.
The reason it's only three and a half probes per second is, of course,
Courier's automatic tarpit. Without it you'll probably have thirty million
probes per day. So you have a lot of crap in your mail logs. So what. It's
not the end of the world.
You should consider using the CBL blacklist, which probably has most of
these compromised hosts listed, already. This won't have much impact on the
probes, but should cut down on the spam.
9 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Same problem with...
