* Alan J. Flavell <a.flavell@???> [20030909 23:23]: wrote:
> On Tue, 9 Sep 2003, Odhiambo G. Washington wrote:
>
> > I am making an attempt at discouraging dictionary attacks (and I see many)
>
> Yes, I've been trying a bit too hard to do that, and caused two quite
> embarrassing situations as a result.
>
> I think you'll find the story of the first accident in the archive of
> this list.
I will dig one day if you give me the key, other than that, digging for
Flavell will fill my screen. I know it ;)
> The second one happened when osirusoft went pear-shaped recently due
> to DDoS, and they set it to blacklist every query submitted to it.
I monitor my logs (and list discussions) very closely so I caught the
Osirusoft issue even before it was announced. I just removed their
servers from my dnsbl.
> For about an hour, until the problem was recognised, we were rejecting
> almost every mail: so far, so bad.
I must have rejected for maybe 5 minutes..
I'll take care though.
> Yes, but what's in that script? You _do_ test I/O operations for
> success and report an error if they failed, don't you?
Did I attach the script to the mail, really? No wonder I did not get any
responses. I mentioned I attached the script but forgot to!!
The small debug output I sent did not show me any indication of calling
the script.
Here it is:
#########################################################################
#!/usr/local/bin/perl -w
use strict;
my $file = '/usr/local/etc/exim/dictscan.ips';
my $ip = shift;
die "No argument" unless defined $ip;
die "Invalid argument |$ip|" unless $ip =~ /^\d+\.\d+\.\d+\.\d+$/;
# (at this point you _could_ take a look in the file and see
# if the address is already there - can happen occasionally
# e.g when two concurrent dictionary-scan attacks are detected
# from the same IP).
# Since we're doing an append we can ignore file locking...
# (and it's not going to be the end of the world if we sometimes
# manage to list the same address twice...)
open OUT, ">>$file" or die "Couldn't open file, $!";
my $datestamp = scalar localtime;
print OUT "\n\# $datestamp\n$ip\n";
close OUT;
#####################################################################
-Wash
--
Odhiambo Washington <wash@???> "The box said 'Requires
Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,'
Tel: +254 2 313985-9 +254 2 313922 so I installed FreeBSD."
GSM: +254 72 743223 +254 733 744121 This sig is McQ! :-)
"Every time I think I know where it's at, they move it."
