Re: [Exim] Dictionary attack defense

Top Page
Delete this message
Reply to this message
Author: Odhiambo Washington
Date:  
To: Alan J. Flavell
CC: Exim Users
Subject: Re: [Exim] Dictionary attack defense
* Alan J. Flavell <a.flavell@???> [20030909 23:23]: wrote:
> On Tue, 9 Sep 2003, Odhiambo G. Washington wrote:
>
> > I am making an attempt at discouraging dictionary attacks (and I see many)
>
> Yes, I've been trying a bit too hard to do that, and caused two quite
> embarrassing situations as a result.
>
> I think you'll find the story of the first accident in the archive of
> this list.


I will dig one day if you give me the key, other than that, digging for
Flavell will fill my screen. I know it ;)


> The second one happened when osirusoft went pear-shaped recently due
> to DDoS, and they set it to blacklist every query submitted to it.


I monitor my logs (and list discussions) very closely so I caught the
Osirusoft issue even before it was announced. I just removed their
servers from my dnsbl.



> For about an hour, until the problem was recognised, we were rejecting
> almost every mail: so far, so bad.


I must have rejected for maybe 5 minutes..
I'll take care though.


> Yes, but what's in that script? You _do_ test I/O operations for
> success and report an error if they failed, don't you?


Did I attach the script to the mail, really? No wonder I did not get any
responses. I mentioned I attached the script but forgot to!!
The small debug output I sent did not show me any indication of calling
the script.


Here it is:


#########################################################################
#!/usr/local/bin/perl -w

use strict;

my $file = '/usr/local/etc/exim/dictscan.ips';

my $ip = shift;

die "No argument" unless defined $ip;

die "Invalid argument |$ip|" unless $ip =~ /^\d+\.\d+\.\d+\.\d+$/;

# (at this point you _could_ take a look in the file and see
# if the address is already there - can happen occasionally
# e.g when two concurrent dictionary-scan attacks are detected
# from the same IP).

# Since we're doing an append we can ignore file locking...
# (and it's not going to be the end of the world if we sometimes
# manage to list the same address twice...)

open OUT, ">>$file" or die "Couldn't open file, $!";

my $datestamp = scalar localtime;

print OUT "\n\# $datestamp\n$ip\n";

close OUT;
#####################################################################


-Wash

--
Odhiambo Washington   <wash@???>  "The box said 'Requires
Wananchi Online Ltd.  www.wananchi.com      Windows 95, NT, or better,'
Tel: +254 2 313985-9  +254 2 313922         so I installed FreeBSD."
GSM: +254 72 743223   +254 733 744121       This sig is McQ!  :-)


"Every time I think I know where it's at, they move it."