Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 12:41:21

Author Topic: Auto block brute force IPs  (Read 4188 times)

0 Members and 1 Guest are viewing this topic.

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Auto block brute force IPs
« on: 2014-09-07, 20:48:25 »
These days my Kloxo-MR is subject to SPAM source and i see brute force attacks:
Sep  7 20:42:16 mail pop3: 1410115336.674823 tcpserver: ok 30641 :111.111.111.186:110 :125.79.18.13::42216
Sep  7 20:42:16 mail pop3: 1410115336.703615 tcpserver: status: 2/200
Sep  7 20:42:16 mail pop3: 1410115336.703777 tcpserver: pid 30642 from 125.79.18.13
Sep  7 20:42:16 mail pop3: 1410115336.715509 tcpserver: ok 30642 :111.111.111.187:110 :125.79.18.13::42221
Sep  7 20:42:17 mail vpopmail[30643]: vchkpw-pop3: vpopmail user not found terence@:125.79.18.13
Sep  7 20:42:17 mail pop3: 1410115337.240255 tcpserver: end 30641 status 256
Sep  7 20:42:17 mail pop3: 1410115337.240281 tcpserver: status: 1/200
Sep  7 20:42:17 mail vpopmail[30645]: vchkpw-pop3: vpopmail user not found roger@:125.79.18.13
Sep  7 20:42:17 mail pop3: 1410115337.294012 tcpserver: end 30642 status 256
Sep  7 20:42:17 mail pop3: 1410115337.294036 tcpserver: status: 0/200
Sep  7 20:42:17 mail pop3: 1410115337.795501 tcpserver: status: 1/200
Sep  7 20:42:17 mail pop3: 1410115337.795665 tcpserver: pid 30647 from 125.79.18.13
Sep  7 20:42:17 mail pop3: 1410115337.807689 tcpserver: ok 30647 :111.111.111.186:110 :125.79.18.13::42237
Sep  7 20:42:17 mail pop3: 1410115337.863795 tcpserver: status: 2/200
Sep  7 20:42:17 mail pop3: 1410115337.863894 tcpserver: pid 30648 from 125.79.18.13
Sep  7 20:42:17 mail pop3: 1410115337.875716 tcpserver: ok 30648 :111.111.111.187:110 :125.79.18.13::42239
Sep  7 20:42:18 mail vpopmail[30649]: vchkpw-pop3: vpopmail user not found terra@:125.79.18.13
Sep  7 20:42:18 mail pop3: 1410115338.373194 tcpserver: end 30647 status 256
Sep  7 20:42:18 mail pop3: 1410115338.373213 tcpserver: status: 1/200
Sep  7 20:42:18 mail vpopmail[30651]: vchkpw-pop3: vpopmail user not found rolph@:125.79.18.13
Sep  7 20:42:18 mail pop3: 1410115338.454994 tcpserver: end 30648 status 256
Sep  7 20:42:18 mail pop3: 1410115338.455023 tcpserver: status: 0/200
Sep  7 20:42:18 mail pop3: 1410115338.929154 tcpserver: status: 1/200
Sep  7 20:42:18 mail pop3: 1410115338.929252 tcpserver: pid 30653 from 125.79.18.13
Sep  7 20:42:18 mail pop3: 1410115338.941129 tcpserver: ok 30653 :111.111.111.186:110 :125.79.18.13::42252
Sep  7 20:42:19 mail pop3: 1410115339.024847 tcpserver: status: 2/200
Sep  7 20:42:19 mail pop3: 1410115339.025068 tcpserver: pid 30654 from 125.79.18.13
Sep  7 20:42:19 mail pop3: 1410115339.036617 tcpserver: ok 30654 :111.111.111.187:110 :125.79.18.13::42255
Sep  7 20:42:19 mail vpopmail[30655]: vchkpw-pop3: vpopmail user not found terry@:125.79.18.13
Sep  7 20:42:19 mail pop3: 1410115339.507209 tcpserver: end 30653 status 256
Sep  7 20:42:19 mail pop3: 1410115339.507228 tcpserver: status: 1/200
Sep  7 20:42:19 mail vpopmail[30657]: vchkpw-pop3: vpopmail user not found ron@:125.79.18.13
Sep  7 20:42:19 mail pop3: 1410115339.615602 tcpserver: end 30654 status 256
Sep  7 20:42:19 mail pop3: 1410115339.615623 tcpserver: status: 0/200
Sep  7 20:42:20 mail pop3: 1410115340.063113 tcpserver: status: 1/200
Sep  7 20:42:20 mail pop3: 1410115340.063220 tcpserver: pid 30659 from 125.79.18.13
Sep  7 20:42:20 mail pop3: 1410115340.074952 tcpserver: ok 30659 :111.111.111.186:110 :125.79.18.13::42271
Sep  7 20:42:20 mail pop3: 1410115340.185521 tcpserver: status: 2/200
Sep  7 20:42:20 mail pop3: 1410115340.185681 tcpserver: pid 30660 from 125.79.18.13
Sep  7 20:42:20 mail pop3: 1410115340.197146 tcpserver: ok 30660 :111.111.111.187:110 :125.79.18.13::42273
Sep  7 20:42:20 mail vpopmail[30661]: vchkpw-pop3: vpopmail user not found tess@:125.79.18.13
Sep  7 20:42:20 mail pop3: 1410115340.640672 tcpserver: end 30659 status 256
Sep  7 20:42:20 mail pop3: 1410115340.640707 tcpserver: status: 1/200
Sep  7 20:42:20 mail vpopmail[30663]: vchkpw-pop3: vpopmail user not found rona@:125.79.18.13
Sep  7 20:42:20 mail pop3: 1410115340.776253 tcpserver: end 30660 status 256
Sep  7 20:42:20 mail pop3: 1410115340.776293 tcpserver: status: 0/200
Sep  7 20:42:21 mail pop3: 1410115341.196262 tcpserver: status: 1/200
Sep  7 20:42:21 mail pop3: 1410115341.196339 tcpserver: pid 30665 from 125.79.18.13
Sep  7 20:42:21 mail pop3: 1410115341.208570 tcpserver: ok 30665 :111.111.111.186:110 :125.79.18.13::42290
Sep  7 20:42:21 mail pop3: 1410115341.346176 tcpserver: status: 2/200
Sep  7 20:42:21 mail pop3: 1410115341.346295 tcpserver: pid 30666 from 125.79.18.13
Sep  7 20:42:21 mail pop3: 1410115341.358027 tcpserver: ok 30666 :111.111.111.187:110 :125.79.18.13::42292
Sep  7 20:42:21 mail pop3: 1410115341.765119 tcpserver: end 30665 status 256
Sep  7 20:42:21 mail pop3: 1410115341.765155 tcpserver: status: 1/200
Sep  7 20:42:21 mail vpopmail[30667]: vchkpw-pop3: vpopmail user not found ronald@:125.79.18.13
Sep  7 20:42:21 mail pop3: 1410115341.936432 tcpserver: end 30666 status 256
Sep  7 20:42:21 mail pop3: 1410115341.936452 tcpserver: status: 0/200
Sep  7 20:42:22 mail pop3: 1410115342.506626 tcpserver: status: 1/200
Sep  7 20:42:22 mail pop3: 1410115342.506751 tcpserver: pid 30669 from 125.79.18.13
Sep  7 20:42:22 mail pop3: 1410115342.518482 tcpserver: ok 30669 :111.111.111.187:110 :125.79.18.13::42305
Sep  7 20:42:23 mail vpopmail[30670]: vchkpw-pop3: vpopmail user not found ronda@:125.79.18.13
Sep  7 20:42:23 mail pop3: 1410115343.097308 tcpserver: end 30669 status 256
Sep  7 20:42:23 mail pop3: 1410115343.097328 tcpserver: status: 0/200
Sep  7 20:42:23 mail pop3: 1410115343.668684 tcpserver: status: 1/200
Sep  7 20:42:23 mail pop3: 1410115343.668852 tcpserver: pid 30672 from 125.79.18.13
Sep  7 20:42:23 mail pop3: 1410115343.680233 tcpserver: ok 30672 :111.111.111.187:110 :125.79.18.13::42326
Sep  7 20:42:24 mail vpopmail[30673]: vchkpw-pop3: vpopmail user not found ronny@:125.79.18.13
Sep  7 20:42:24 mail pop3: 1410115344.262892 tcpserver: end 30672 status 256
Sep  7 20:42:24 mail pop3: 1410115344.262908 tcpserver: status: 0/200
Sep  7 20:42:24 mail pop3: 1410115344.835405 tcpserver: status: 1/200

Now i wonder, is there a way to auto block IPs from the " mail vpopmail[30673]: vchkpw-pop3: vpopmail user not found ronny@:125.79.18.13" after say 5 attempts?
I've installed CSF, is there an option to read mail logs from qmail? Or do i have to use fail2ban?

@chrisf, have you any setups that auto block IPs that fails many auth attempts?

Thanks!

Kloxo-MR!

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: Auto block brute force IPs
« Reply #1 on: 2014-09-08, 17:20:12 »
Yes, we have a custom module for CSF that blocks brute force on mailserver, we are a hosting company ;)
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: Auto block brute force IPs
« Reply #2 on: 2014-09-08, 22:56:54 »
I.e you have created a module with "custom logs" which scans your logs and blocks failed attempts?


Yes, we have a custom module for CSF that blocks brute force on mailserver, we are a hosting company ;)
Kloxo-MR!

Offline johnnyto1979

  • Junior Member
  • *
  • Posts: 34
  • Karma: +0/-0
  • Gender: Male
    • View Profile
    • Fixme - Freianzeigen.tk
Re: Auto block brute force IPs
« Reply #3 on: 2014-09-09, 14:49:31 »
Hi.
Fail2ban .. easy way

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

 


Top 10 Social Networking:    Facebook    Twitter    LinkedIn    Pinterest    Google Plus    Tumblr    Instagram    VK    Flickr    Vine

Page created in 0.033 seconds with 22 queries.

web stats analysis