Linux – I am getting brute forced, what do I do

brute-force-attackslinuxSecurity

I am getting brute forced to my email server, IMAP and POP3. I have the full package of ASL installed but it just sends me the OSSEC logs. How can I ban the IP.

I thought ASL automatically blocked these attacks after a few wrong tries. How can I do that.

Best Answer

If your kernel has support for iptables recent (most do), something like the following will allow 6 connections in 60 seconds, and then drop the connections from that IP address. Rather than writing a ton of rules to block varying IPs, you could do that.

iptables -I INPUT -p tcp --dport imap -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport imap -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 -j DROP
iptables -I INPUT -p tcp --dport pop3 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport pop3 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 -j DROP

alternatively if it was just one IP:

iptables -I INPUT -s 1.2.3.4/32 -j DROP

should do a quick and dirty drop of that IP

Best Answer

Related Solutions

Security – Our security auditor is an idiot. How to give him the information he wants

Centos – How to combat all of these brute force attacks

Related Topic