Results 1 to 4 of 4

Thread: Moderating Brute force attacks to smtp auth

  1. #1
    Join Date
    May 2006
    Posts
    23

    Moderating Brute force attacks to smtp auth

    Hi

    I used this to automatically block brute force dictionary smtp auth attacks to my smtp server:

    tail -f /var/log/exim/rejectlog | grep "535 Incorrect authentication data" | grep "set_id=email@attackeddomain.com" | awk '{ gsub(/\[/,""); gsub(/\]:/,""); print $8 } ' | xargs -I'{}' /sbin/ipfw add 40000 deny ip from {} to me

    The tail -f feeds it the rejects as they happen,
    the first grep narrows it down to failed auth attempts
    the second grep is optional and isolates a specific account that was being attacked,
    the awk removes the []: from the ip (column 8) (there may be a better regex, I'm no master)
    and xargs feeds it to ipfw to block

    I just run this in a "screen" session and then disconnect so I can go back later to see what its been doing.

    You need to of course clean this up from time to time as most attacks are from dynamic ip zombies, just delete all the ipfw rules at 40000 then script run again.

    Good luck!

  2. #2
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,758
    Why dont you just use integrated BFM with iptables integration (or csf)?

    Regards
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  3. #3
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,297
    ipfw for FreeBSD then... the HowTo for FreeBSD is available here http://www.directadmin.com/forum/sho...t=42202&page=1

  4. #4
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,758
    Thanks Alex for correction, didnt realize i was in FreeBSD section

    Regards
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

Similar Threads

  1. brute force attacks and iptables
    By Line Yoble in forum General Technical Discussion & Troubleshooting
    Replies: 11
    Last Post: 06-19-2012, 09:39 AM
  2. Too many Brute force attacks from Google IP's
    By lonerunner in forum System-Level Technical Discussion
    Replies: 5
    Last Post: 05-14-2012, 02:56 PM
  3. Help on Brute Force attacks
    By TestUser in forum Off-Topic Discussion
    Replies: 8
    Last Post: 05-10-2012, 07:40 AM
  4. Too many brute force attacks from ip 127.0.0.1
    By lonerunner in forum General Technical Discussion & Troubleshooting
    Replies: 1
    Last Post: 11-11-2011, 09:03 AM
  5. Brute Force Attacks
    By ssi.inc in forum DirectAdmin General Discussion
    Replies: 12
    Last Post: 10-14-2005, 11:30 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •