| To: | qmail@list.cr.yp.to |
|---|---|
| Subject: | Re: POP3 password scanning |
| From: | Nick Leverton <nj@leverton.org> |
| Date: | Fri, 26 Jan 2007 10:39:25 +0000 |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | gmail-qmail@securepoint.com |
| Delivered-to: | sp.com.list@gmail.com |
| Delivered-to: | mailing list qmail@list.cr.yp.to |
| In-reply-to: | <20070125142447176214.67bfc7a3@strangecode.com> |
| Mailing-list: | contact qmail-help@list.cr.yp.to; run by ezmlm |
| Organization: | The Warren |
| References: | <20070125142447176214.67bfc7a3@strangecode.com> |
| User-agent: | KMail/1.9.5 |
On Thursday 25 January 2007 22:24, Quinn Comendant wrote: > There was a robot running on 24.220.50.36 scanning all usernames looking > for valid user/pass pairs. I thought a good solution to this would be to > add a configuration to fail2ban (we use it for stopping ssh scanning) > which will block the IP with iptables if it detects too many failed > password attempts. ...snips... > These are md5-digest (I think) password failures, followed by plaintext > password success. These are all honest valid users, and it is normal. I know fail2ban has a configureable number of failures before it'll ban the IP. I have it installed but I'm not running it yet :) Does it reset its counter on a successful login ? If so then just leave maxfailures in fail2ban.conf as something greater than 2. Nick |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: sbl-xbl going away; zen replacing it, Fabio Busatto |
|---|---|
| Next by Date: | Re: sbl-xbl going away; zen replacing it, Sami Farin |
| Previous by Thread: | POP3 password scanning, Quinn Comendant |
| Next by Thread: | Re: POP3 password scanning, Quinn Comendant |
| Indexes: | [Date] [Thread] [Top] [All Lists] |