Re: Host attempting to log in constantly via POP3

From: Carlos Moreno (moreno_at_mochima_dot_com_at_xx.xxx)
Date: 03/01/04


Date: Sun, 29 Feb 2004 18:37:05 -0500

Jem Berkes wrote:
>>My logs show some computer attempting to log into my Linux server via
>>POP3 every 5-10 seconds using the same userid. Apparently they do not
>>have the password so the attempts always fail. There have been about
>>100,000 attempts this month.
>>
>>The IP address changes about every 10 minutes, but each is a
>>dsl.snfc21.pacbell.net address. So I suspect it is logging on then
>>off a PPPOE connection.
>>
>>When I run nmap -v -sS -O -F <ipaddress>, all ports show filtered.
>>The login attempts stop during the nmap run then resume when the run
>>is complete.
>>
>>Q: Do you have any suggestions on blocking or identifying this
>>computer?
>
>
> The IP addresses will probably be within the same class B (that is, first
> two bytes of IP are same while last two bytes change). You can block this
> entire range using netfilter on linux 2.4 using CIDR notation, IP/16

But I don't think that's a good idea. That may end up blocking a
lot of legitimate connections.

I believe the best thing to do is to report the abuse to your service
provider or hoster, and to the service provider of that address, so
that they take appropriate measures.

You could try (if this is an option at all) turning off your POP3
service for a period of several hours or an entire day, and see if
they give up.

I wonder if portsentry or similar products have the capability of
solving your problem -- you can configure them so that whenever an
IP attempts connecting to a port that is not listening, they add
an iptables rule, thus blocking completely the IP (and I think it
can be configured so that it blocks it for a configurable period,
e.g., a few hours). I wonder if it would be possible to block
IP's that attempt to login via POP3 and fail.

If you are willing to go down and use your hacking skills, you
could write a program that listens for POP3 connections (on a
different port) and detects the condition and blocks the IP by
running iptables; the program simply acts as a repeater, and
you use iptables port redirecting such that any incoming connection
from the outside world to your port 110 is redirected to whatever
port your program is listening on. Your program will then
connect to local port 110, and iptables will not do port
redirection when the connection comes from the interface lo.

Complicated, huh? I bet there's a way to do it with standard
tools, but being a programmer myself, I'd go for having the fun
to write my own program! :-) (no, this is not an official
offer to volunteer for writing such a program for you :-))

Carlos

--


Relevant Pages

  • Re: portknocking question
    ... This is nice but still requires closing the port as a step when done. ... you can use a time out with the relevant iptables command ... You can easily close the connection automatically. ... In that example, any existing ssh connection, for example, will continue ...
    (Ubuntu)
  • Re: Help Needed: My RHEL5 box suddenly stopped accepting e-mails
    ... Here is the output of the 'iptables status' ... try telnetting to port 25 from off-host again. ... If you get the sendmail herald, ... until you get a "Connection refused" response. ...
    (RedHat)
  • iptables and ftp problems via masquerading
    ... Connection failed XXX.XXX.XXX.XXX - connection timed out ... 530 Only client IP address allowed for PORT command. ... i've setup my iptables firewall script to allow masquerading, ... $IPTABLES -A BLOCK -j DLOG ...
    (comp.os.linux.security)
  • Re: Host attempting to log in constantly via POP3
    ... IP attempts connecting to a port that is not listening, ... an iptables rule, thus blocking completely the IP (and I think it ... IP's that attempt to login via POP3 and fail. ... you use iptables port redirecting such that any incoming connection ...
    (comp.security.unix)
  • Re: Host attempting to log in constantly via POP3
    ... IP attempts connecting to a port that is not listening, ... an iptables rule, thus blocking completely the IP (and I think it ... IP's that attempt to login via POP3 and fail. ... you use iptables port redirecting such that any incoming connection ...
    (comp.os.linux.security)