From: Dimitri Yioulos <dyioulos@onpointfc.com>
To: netfilter <netfilter@vger.kernel.org>
Subject: Dropping brute force attacks
Date: Thu, 10 Jan 2013 13:55:12 -0500 [thread overview]
Message-ID: <201301101355.12763.dyioulos@onpointfc.com> (raw)
Hello, all, and Happy New Year.
A few weeks ago I added a post about how to tweak the set up
of rules to drop the ip addresses of machines trying to do
a brute force login via ipop3d. What I've noticed is that
few, if any, addresses are being dropped. Fortunately, I
have fail2ban installed on our mail server, so the attacks
are being blunted. Still, I'd like to cut these attacks
off at the pass, so to speak. With you kind indulgence,
allow me to provide information on my set-up again so that
perhaps someone can help me get this working properly.
Our mail server sits in a DMZ; NAT and Forward rules are in
place to make the mail server work (and it does, very
well). So, what I did was set the Forward rules to jump to
a chain I created called "block_email_brute" (the name
sucks, but, hey). Here are the rules:
block_email_brute tcp -- anywhere
server.mydomain.com tcp dpt:pop3
block_email_brute tcp -- anywhere
server.mydomain.com tcp dpt:smtp
And here are the rules in the "block_email_brute" chain:
tcp -- anywhere server.mydomain.com
tcp dpt:pop3 state NEW recent: SET name: DEFAULT side:
source
LOG tcp -- anywhere server.mydomain.com
tcp dpt:pop3 state NEW recent: UPDATE seconds: 60
hit_count: 6 TTL-Match name: DEFAULT25 side: source LOG
level info prefix `Anti Email Bruteforce: '
DROP tcp -- anywhere server.mydomain.com
tcp dpt:pop3 state NEW recent: UPDATE seconds: 60
hit_count: 6 TTL-Match name: DEFAULT side: source
tcp -- anywhere server.mydomain.com
tcp dpt:smtp state NEW recent: SET name: DEFAULT25 side:
source
LOG tcp -- anywhere server.mydomain.com
tcp dpt:smtp state NEW recent: UPDATE seconds: 60
hit_count: 6 TTL-Match name: DEFAULT25 side: source LOG
level info prefix `Anti Email Bruteforce: '
DROP tcp -- anywhere server.mydomain.com
tcp dpt:smtp state NEW recent: UPDATE seconds: 60
hit_count: 6 TTL-Match name: DEFAULT25 side: source
ACCEPT tcp -- anywhere anywhere
tcp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere
tcp state RELATED,ESTABLISHED
I realize that port 110 is the one being attacked, but I
added 25 just for good measure.
I hope the above information is clear and complete enough.
Your help is greatly appreciated.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
next reply other threads:[~2013-01-10 18:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-10 18:55 Dimitri Yioulos [this message]
[not found] ` <CAJygYd2u=N_26Ei1t049dP-yD6R9OUutF_bWTzYMcjqhgXyvNQ@mail.gmail.com>
2013-01-10 23:01 ` Dropping brute force attacks Dimitri Yioulos
2013-01-14 19:49 ` Dimitri Yioulos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201301101355.12763.dyioulos@onpointfc.com \
--to=dyioulos@onpointfc.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).