I have a mail server running RHEL, with postfix, dovecot, etc. I installed Fail2ban and this works wonders against SSH brute force attacks. It'll ban an IP address for a period of time if it unsuccessfully attempts to log on 3 times within, say a minute. I was wondering if it can be as effective with pop3 attacks. If it is, how can I get it done?
View 1 RepliesI have a SSH server set up at home listening on port 22. I have hardened the server so it is pretty secure but I want to make it even safer by editing my iptables to rate-limit incoming connections and DROP false login attempts. I have tried these tutorials but I just cant get it to work:[URL]I want the debian-administration.org tutorial to work but when I try to add the first rule in terminal:sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --setI get the following:Bad argument --set'I am new to iptables and I'm not sure if I'm doing something wrong when I try to set it up. I'm using Ubuntu 10.04.1 LTS with iptables v1.4.4.
View 6 Replies View RelatedI am ashamed that I am causing other people troubles, but apparantly my server is involved in attacking the servers of other people.
I have to admit that I am not too familiar with using a CLI, or Linux for that matter, but I have a Debian server running under Plesk 10, which is colocated.
Now I have received messages from the datacenterm which state that my server is involved in brute force attacks.
The messages show a lot of lines like this:
Code:
The only I get from my hoster is to back up all domains and re-install the machine.
I want to resolve this asap, but do not agree with that action for two reasons: the machine just had a fresh re-install 2 months ago, so if it is a flaw in the OS, I will get the same flaw back, and if it is not OS related but due to a domain, I will get the problem back by putting back the backed-up domains.
But now I'm stuck: what steps should I follow to try and find the cause of this evil and make sure that my machine will not bother other machines anymore?
I realize that this probably will be a steep learning-curve, but please bare with me and help me to resolve this.
What have I done so far?
1) There are a number of live sites on this server, either running WordPress or Joomla, I have made sure they are all updated to the latest release.
2) I have manually looked at the source code of the index-files of those sites, haven't seen anything strange, like redirects.
3) I have used online scanners to check all sites for malware, all have been reported back to be clean.
4) I have run the Plesk-version of RKhunter, and that gives me certain warnings which I cannot (or do not) understand:
Code:
Code:
Code:
I received the first report of these attempts about a week ago and immediately changed the Plesk/SSH password to a 200bit password generated with KeePass, hoping that would keep out any evildoers.
im looking for a good brute force program that has i gui. i used to use brutus on windows but now im only running ubuntu so i need to find one.
View 3 Replies View RelatedI set up an ASUS WL-500gP with original ASUS firmware to my LAN with IP address 192.168.1.1. If I navigate to address [URL] in my Firefox address bar, an Authentication required window opens up asking for "User name: " and "Password: ". Correct "User name: " is "admin" and correct "Password: " is "pA55w0Rd". They work fine if I type them in manually to the Authentication required window, but for some reason I can't get in using the hydra with words.txt password file, which contains "pA55w0Rd":
Code:
[root@ ~]# cat words.txt
password
user
pA55w0Rd
[code]....
In my Open-Suse server I have a script, where makepasswd output(by default it generates similar passwords: cGyTbqpr, tpJ1LA, 33EXdo) is redirected to mkpasswd(which uses DES by default) in order to generate salted hash of this previously generated password. I would like to test the strength of this system. I have a quad core CPU, and if I start John The Ripper like this(I want to use -incremental:all flag):
john -incremental:all passwd
..only one core is utilized at 100%. Is there a possibility to make all four cores to crack this password? Or is this possible only after reprogramming John The Ripper? Or what is the algorithm for generating passwords with with -incremental:all flag? I mean if John generates passwords randomly in brute-force mode, then it's smart to start four different John processes simultaneously because then one of those four will find the password firs
we are using linux email server axigen past few years. we keep port open ssh and pop,smtp webmail etc. ssh use for remote trouble shooting. so through firewall it is globally accessable. we notice many attacks coming to our machine, also some people try to enter in our system but failure. as example see below a log come in messages file
Mar 17 09:19:50 sa1 sshd(pam_unix)[21231]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.51.13.120 user=root how we can secure more. as per my understanding only good long strong password can stop to prevent from attacks.
Is there a way to instruct mencoder to stop streaming/recording after a specified period associated with a loss of signal?I use mencoder to record over-the-air television recordings. Most of the time there are no problems.Occasionally a station's transmission signal disappears, caused by quirky atmospheric conditions, usually at night.Noticing these signal outages is easy by the mencoder error message:dvb_streaming_read, attempt N. %x failed with errno %y when reading %z bytes"Lengthy outages are unbearable because mencoder silently waits forever rather than quit.
The significant problem with lengthy signal outages is mencoder continues recording for the time specified by the -endpos parameter. Thus, for example, if the recording is scheduled for 2 hours and there is a 20 minute loss of signal, the recording does not end until 2 hours and 20 minutes after starting.Generally, when the interruption is lengthy the recording is ruined and I don't care to watch. I would like to programmatically tell mencoder to stop waiting and quit.Is there a way to do this? Say, after ten minutes of no signal, just terminate do not notice any parameters that might offer that option, but I could be overlooking something obvious. I tried the -skiplimit parameter with no success.
For long-term migration from courier to dovecot I would like to install courier-pop and dovecot-pop3d simultaneously. Aptitude offers me to install one, by removing the other, only. Can this be done without creating problems for the package manager and future upgrades? And why if not?
The following NEW packages will be installed:
The following actions will resolve these dependencies:
Remove the following packages:
Score is -170
How can I download Mail from Dovecot POP3 Server to new Dovecot POP3 Server of all users and will always run every minute. I've tried fetchmail and getmail but only in one user and need to run fetchmail or getmail to retrieve new emails.
View 6 Replies View RelatedIs there a way to instruct mencoder to stop streaming/recording after a specified period associated with a loss of signal?I use mencoder to record over-the-air television recordings. Most of the time there are no problems.Occasionally a station's transmission signal disappears, caused by quirky atmospheric conditions, usually at night.Noticing these signal outages is easy by the mencoder error message:dvb_streaming_read, attempt N. %x failed with errno %y when reading %z bytes"Lengthy outages are unbearable because mencoder silently waits forever rather than quit.The significant problem with lengthy signal outages is mencoder continues recording for the time specified by the -endpos parameter. Thus, for example, if the recording is scheduled for 2 hours and there is a 20 minute loss of signal, the recording does not end until 2 hours and 20 minutes after starting.
Generally, when the interruption is lengthy the recording is ruined and I don't care to watch. I would like to programmatically tell mencoder to stop waiting and quit.Is there a way to do this? Say, after ten minutes of no signal, just terminate.I do not notice any parameters that might offer that option, but I could be overlooking something obvious. I tried the -skiplimit parameter with no success.I am aware of the MPlayer/MEncoder Tips and Tricks thread.
I've heard of attacks using PDF files on Windows with Adobe Acrobat and Foxit Reader. Is Linux vulnerable to these attacks when using the default PDF viewers in KDE or Gnome or even xpdf? What is a good PDF scanner to determine if a PDF file is evil?
View 2 Replies View RelatedI have a VPS with Ubuntu. I host a small website (~10 visitors at the same time). Sometimes the website starts lagging. It lags so bad that my SSH connection starts lagging too. Running top says that 2 instances of apache2 take up 50 %CPU each.
I assume this is a DoS attack. I've copy-paste installed a few iptables scripts that made sense, but this has not helped. I installed libapache2-mod-evasive -- I'm sure it blocks the attacker, but I'm still lagging.
What can I do? Can I at least find the IP of the attacker? I have strong experience with Linux, but almost zero experience with being a server admin.
Tiscali had a problem Sunday night(24/25th) reported by a number of people.Passwords rejected, etc.My Windows Vista machine and Aspire One Linpus were both affected.Come Monday morning and the Vista machine now works but Linpus still doesn't.I haven't changed anything on either machine. Tiscali are (of course) not much help.I have now deleted and recreated the accounts with all the same data and ports, etc just in case(!) No change.
View 3 Replies View RelatedI need to make a bash scripting, based on a password and a user,that connect to pop3 server and see if it login,if you can,return ok, otherwise return ERR .
View 10 Replies View RelatedOriginally Posted by http://salcedoweb.com/rds/server.htmlUncomment or add line in /etc/inetd.conf:
# Post Office Protocol version 3 (POP3) server:
pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popa3d
How do I add an account so I can access my mailbox from M$ Outlook from a Windows 7 machine?I am planning on using my ISPs smtp server for sending mail.Or is there anything else I should be aware of?http://www7.pic-upload.de/21.04.11/ieg6wv3qx6g.jpg
i have some problems to start my dovecot server. I tried to install it from webmin using "un-used modules" but it was allways the same error: "E: Unable to locate package dovecot-pop3d".When I tried to install it from console using the commands: apt-get install dovecot-imapd dovecot-pop3d dovecot-common - and there are no problems with dovecot-imapd and dovecot-common, but still the same error with dovecot-pop3d. After command: service dovecot status: could not access PID file for dovecot ... failed!
After try to start dovecot with comand "dovecot": Error: mail_executable: Can't use /usr/lib/dovecot/pop3: No such file or directoryFatal: Invalid configuration in /etc/dovecot/dovecot.confI've read a few similar threads in this forum about dovecot errors but still can't to fix it.
I'm somewhat familiar with Linux and became pretty decent at installing and configuring packages in Ubuntu. One of the things I was able to do with my tinkering was set up a functioning imap and pop3 mail server using dovecot-postfix. Now I'm experimenting with Slackware to get the feel of another distro, and I noticed that the mail server packages were already installed. On my client computer they can pick up that I have users configured and my mx record is working.
However it is failing to send mail saying that it is failing to relay the e-mail message and that the server responded 5.7.1 which was a problem that I was having in Ubuntu when first configuring the mail server. The fix was to edit the postfix.conf file and adding the localhost name of my server. Does anybody know of the file that I need to edit to make it possible to relay my messages with both pop3 and imap.
I want to know that by default do we need to configure SMTP and POP3/IMAP sever for sending and receiving mails in Linux server and client machines or we can directly send and receive mails without configuring these mail servers?
View 2 Replies View RelatedI've set up Ubuntu 9.04 (desktop) at home in a lab environment (workgroup rather than domain) and have configured Squid. Everything works fine but, when I took it to the next level and made the proxy transparent, my problems began. I can still access sites (having pointed the XP Pro client to the squid box as the DG) and the sites are logged in /var/log/squid/access.log but I am unable to use Outlook to access my SMTP and POP3. I guess that the setup is blocking ports 25 and 110 and I'll need to configure iptables to forward packets destined for these ports directly to the "real" DG, rather than the Squid box. Here's the set up:
A single NIC (eth0) on 172.19.0.250 / 16 (static) ADSL router ("real" DG) on 172.19.0.1 I executed iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 My squid.conf:
Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl mynet src 172.19.0.0/16
[Code]....
whats the difference between restarting/stopping apache using 'service httpd restart/stop' and apachectl restart/stop. I know that using 'service httpd restart' is actually a script in /etc/init.d/httpd but what about apachectl?
View 1 Replies View RelatedI would like to know how to protect networks against VPN attacks? How does big industries do it? What does the government tend to use? Are any tools open source that I may get?
View 1 Replies View RelatedI'm using Debian 6 to host a website (with apache2) and a game server. But because of attacks to my server, my hosting company have now set it offline.
These are the two logs that they provided (I replaced all IPs):
Direction IN
Internal ***.***.***.***
[code]....
I was just wondering if you were to get DDoSed/Dosed would ubuntu block the packets or protect you in some way?
View 1 Replies View RelatedI fear that an attack or an entry in my PC has occured, how to find the trace of the attacks.
View 3 Replies View RelatedI have a VPS which is running HTTPD, and its getting blown to bits by a DOS Attack. Turns out mod_evasive is totally useless (due to not running a total - rather counting per child process) and the only way to stop the box from running at 100% on all cores is to term HTTPD. So, what rules can I implement on the iptables firewall to block multiple requests from an IP? I saw this: [URL] Where someone has posted some rules but these dont work ("unknown error 4294967295" on the 3rd line). This is what i'm after though - block multiple requests from a single IP for a certain period of time.
View 3 Replies View Relatedrecently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.
View 2 Replies View RelatedI'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
[Code]....
Given that my public key is a pre-shared secret is sshd made in a way that this negates the possibility of a man in the middle attack? In other words, if the known_hosts file were to be deleted, would it be safe to ignore the fingerprint of a server that already has my public key in authorized_keys?
View 5 Replies View RelatedWith the disappearance of an OS monoculture, attackers would do well to find attacks that are neither OS or application specific. One way to do that, of course, is to target attacks at hardware, rather than software. Now research out of Frances Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.
View 2 Replies View Related