Am 06.04.2013 22:55, schrieb Max Pyziur: > On Sat, 6 Apr 2013, Reindl Harald wrote: >> has someone a script which can filter out dictionary attacks >> from /var/log/maillog and notify about the source-IPs? >> >> i know about fail2ban and so on, but i would like to have >> a mail with the IP address for two reasons and avoid fail2ban >> at all because it does not match in the way we maintain firewalls >> >> * add the IP to a distributed "iptables-block.sh" and distribute >> it to any server with a comment and timestamp >> * write a abuse-mail to the ISP > > Thinking tangentially to this proposal, are there blacklists (BLs) maintained > regarding known IPs perpetrating > attempts at pop/imap intrusions, much in the same way CBL does for spam, and > OpenBL > (http://www.openbl.org/lists.html) does for ssh (primarily)? > > That way, you leave your iptables configuration status quo, and create a > mechanism to use the resource (the BLs) to > populate your /etc/hosts.deny file, using tcp_wrappers to prevent > intrusion/brute force attacks on service that > have open ports in the firewall
i don't know but in fact i want not rely on automatisms and blacklists sometimes i recognize a dictionary attack because "tail -f" on the mailserver is running in background and after come back from a cigarette break i look a minute in the output and if i see attacks i add the IP after a whois to "iptables-block.sh" so i do not want to rely on automagic and if some IP is added to whatever blacklist hours or days later, i want simply a one-time mail notify to look NOW in maillog and take action or ignore it depending on the count and source if it is some ISP from a country far away -> block it if it is the fivth attempt from this ISP -> block the whole subnet if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP
signature.asc
Description: OpenPGP digital signature
