2

I am getting brute forced to my email server, IMAP and POP3. I have the full package of ASL installed but it just sends me the OSSEC logs. How can I ban the IP.

I thought ASL automatically blocked these attacks after a few wrong tries. How can I do that.

chmeee
  • 7,270
  • 3
  • 29
  • 43
Saif Bechan
  • 10,892
  • 10
  • 40
  • 63

3 Answers3

5

fail2ban will do the trick.

http://www.howtoforge.com/fail2ban_debian_etch

have fun.

The Unix Janitor
  • 2,388
  • 14
  • 13
4

If your kernel has support for iptables recent (most do), something like the following will allow 6 connections in 60 seconds, and then drop the connections from that IP address. Rather than writing a ton of rules to block varying IPs, you could do that.

iptables -I INPUT -p tcp --dport imap -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport imap -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 -j DROP
iptables -I INPUT -p tcp --dport pop3 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport pop3 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 -j DROP

alternatively if it was just one IP:

iptables -I INPUT -s 1.2.3.4/32 -j DROP

should do a quick and dirty drop of that IP

  • what happens if a send you a syn flood? – The Unix Janitor Apr 11 '10 at 23:26
  • If you're under a DDOS, then you'll want to alter your firewall rules to be relatively strict. With a synflood, you could turn on syncookies, which breaks TCP, but, can sometimes protect a server. The rules above would stop someone from bruteforcing POP3/IMAP, but, wouldn't stop a synflood. You might start using something like shorewall and go with a hardened configuration, and then tweak things back to saner settings after you've analyzed what is still coming through. –  Apr 12 '10 at 05:27
  • syn cookies break tcp? why is that? i think you miss understand, your rules would possibly block a lot of ip's if you were under a syn flood. So your rules become a potential security problem. – The Unix Janitor Apr 12 '10 at 12:05
  • If you're receiving a synflood in addition, then you need additional rules. Your original question was how do you ban 'the' IP. You can use a drop rule to ban 'the' IP. I suggested a solution I prefer over fail2ban. If you are getting a synflood, write rules to ratelimit synpackets or turn on syncookies. Syncookies break tcp windowing which may or may not be important to your installation. –  Apr 12 '10 at 13:20
  • if you rate limit syn's then wont you be dropping good traffic as well as hostile traffic? +1 for syncookies breaking tcp windowing, i've not heard of that. So what i can see is there is not real solution to syn floods. – The Unix Janitor Apr 12 '10 at 14:55
2

You have to enable active response on OSSEC for it to work. Check on your ossec.conf to see if it is enabled there.

The problem with the iptables solution is that it has no application knowledge, so a successful login can still get blocked.

sucuri
  • 2,817
  • 1
  • 22
  • 22
  • +1 If ossec is correctly configured with active response then fail2ban or rate-limiting connections are overkill and not a good response to this problem. – WheresAlice Apr 12 '10 at 14:27