On 2010-11-25, Udo Rader wrote: > Hi, > > in the past couple of days we have been somewhat hit by quite a lot of > brute force SASL related attacks. > > I've now adapted fail2ban to catch those attacks, but I am wondering how > others fight those attacks. > > Maybe there is something similar like a RBL for brute force attacks?
I have some scripts configured to detect and drop these hosts. If you're running linux with ipsets compiled properly (some distros do, some distros don't..) I have a relatively simple configuration that makes selectively dropping traffic quite easy, and quite painless to do from scripts. # at boot, create blackhole and lan sets: ipset -N blackhole_ips iptree --timeout 900 ipset -N lan_nets nethash ipset -A lan_nets 10.0.0.0/8 # add whatever local nets you need ipset -A lan_nets 127.0.0.0/8 # drop anything that's blackholed, whitelisting anything local. iptables -A INPUT -m set --set blackhole_ips src ! -m set --set lan_nets -j DROP Then you can script whatever you're using to catch brute force attacks to do this command: ipset -A blackhole_ips $ip Change --timeout above to change how long to drop their traffic for. The ips will disappear automatically from the blackhole set after the timeout expires, this is all managed by the netfilter layer in the kernel so you don't have to run any daemons beyond your log parser. -- Regards, Stephen Thorne Development Engineer Netbox Blue
