Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fail2ban with Communigate
409 views
Skip to first unread message
Niall O Broin
Jan 4, 2012, 6:23:08 AM1/4/12
to
I happened to be investigating another problem on a CGP server today when I noticed a lot of attempts from an Italian DSL IP to brute force POP accounts. I then noticed that I was seeing lines like
23:59:59.222 1 POP-736066([62.205.6.195]) failed to open 'samba'. Connection from [62.205.6.195]:4467. Error Code=unknown user account
23:59:59.223 1 POP-736066([62.205.6.195]) [62.205.6.195] temporarily blocked on login failure
followed immediately by yet another attempt on a different account from the same IP - am I misunderstanding what temporarily blocked means?
The amount of error messages concerning this IP was really cluttering up my log file (nearly 50% of log entries from yesterday were about this IP, greater than 50% of those today are) so I then entered it in to the denied IPs list, but that doesn't completely solve the log clutter problem, as the connection attempts are still logged (I log at 'Problems'), so I guess the answer is to just firewall off the IP.
So that brings us to the question - have any of you used fail2ban with Communigate? If so, would you care to share your config to save me some regex wrangling time?
Kindest regards,
Niall O Broin
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
Send administrative queries to <CGatePro...@mail.stalker.com>
23:59:59.222 1 POP-736066([62.205.6.195]) failed to open 'samba'. Connection from [62.205.6.195]:4467. Error Code=unknown user account
23:59:59.223 1 POP-736066([62.205.6.195]) [62.205.6.195] temporarily blocked on login failure
followed immediately by yet another attempt on a different account from the same IP - am I misunderstanding what temporarily blocked means?
The amount of error messages concerning this IP was really cluttering up my log file (nearly 50% of log entries from yesterday were about this IP, greater than 50% of those today are) so I then entered it in to the denied IPs list, but that doesn't completely solve the log clutter problem, as the connection attempts are still logged (I log at 'Problems'), so I guess the answer is to just firewall off the IP.
So that brings us to the question - have any of you used fail2ban with Communigate? If so, would you care to share your config to save me some regex wrangling time?
Kindest regards,
Niall O Broin
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
Send administrative queries to <CGatePro...@mail.stalker.com>
Nicolas Hatier
Jan 4, 2012, 1:35:46 PM1/4/12
to
This script could help:
http://www.niversoft.com/products/cgscripts/#dictionary_attack
Instead of using fail2ban, it uses CGP's own settings to block attacks.
Regards
Nicolas Hatier
http://www.niversoft.com/products/cgscripts/#dictionary_attack
Instead of using fail2ban, it uses CGP's own settings to block attacks.
Regards
Nicolas Hatier
Nicolas Hatier, ing. <nicolas...@niversoft.com>
Niversoft idées logicielles - http://www.niversoft.com
Niall O Broin
Jan 4, 2012, 7:28:02 PM1/4/12
to
On 4 Jan 2012, at 18:35, Nicolas Hatier wrote:
> This script could help:
> http://www.niversoft.com/products/cgscripts/#dictionary_attack
>
> Instead of using fail2ban, it uses CGP's own settings to block attacks.
Yes, but that will have the same problem as manually adding an address to the blacklist, no? i.e. CGP will still log the attempted connection, thus cluttering the logs. I'd prefer to use fail2ban to completely block the IP from the server, esp. since fail2ban is running on the server anyway.
> This script could help:
> http://www.niversoft.com/products/cgscripts/#dictionary_attack
>
> Instead of using fail2ban, it uses CGP's own settings to block attacks.
![Juergen P. [core]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjUvA1aNk7yzfgHwGzFfOKTPWAfRZGCEBmwbApXY6F085uJ_PjU=s40-c)
Juergen P. [core]
Jan 4, 2012, 7:31:04 PM1/4/12
to
/sbin/route add -net xx.xx.xx.xx netmask 255.255.255.0 reject
/sbin/route add -host xx.xx.xx.xx reject
:-)
--
Best Regards
Juergen
VOIP / SIP / IM: juer...@core.at
TEL: +43 676 30 592 44 / +43 1 236 46 60 101
/sbin/route add -host xx.xx.xx.xx reject
:-)
--
Best Regards
Juergen
VOIP / SIP / IM: juer...@core.at
TEL: +43 676 30 592 44 / +43 1 236 46 60 101
0 new messages