vpopmail security ???

NodeWorx General Discussion
1

How do i secure vpopmail to stop attacks like this part of the list example
Thank you

vpopmail Begin

Password Failures:
adm - 110 Time(s)
bin - 110 Time(s)
mail - 132 Time(s)
mysql - 88 Time(s)
news - 66 Time(s)
nobody - 66 Time(s)
operator - 66 Time(s)
root - 88 Time(s)
sshd - 66 Time(s)

No Such User Found:
aaron - 110 Time(s)
abby - 110 Time(s)
abigail - 110 Time(s)
abraham - 110 Time(s)
abuse - 110 Time(s)
access - 110 Time(s)
account - 110 Time(s)
accounts - 110 Time(s)
adam - 110 Time(s)
admin - 110 Time(s)
admin2 - 110 Time(s)
administrator - 220 Time(s)
adrian - 110 Time(s)
aerial - 110 Time(s)
agent - 110 Time(s)
alan - 110 Time(s)
albert - 109 Time(s)
alberto - 110 Time(s)

Unmatched Entries

2

I don’t know of any vpopmail configuration for this but what I use for attacks like this is CSF/LFD (ConfigServer Firewall/ Login Failure Detection). I’m not familiar at all with BFD (Brute Force Detection) from R-fx Networks, but it may help in a similiar way…

I set it up to block failed authentication attempts on certain services, POP3 can be configured. It will watch the logs and block the offending IP after a certain amount of failed attempts within a given amount of time. Usually setting it to block the IP after 8-10 failed logins within the hour is enough to help with those types of attacks.

3

Hi
I have Brute Force Detection for ssh & ftp, will have another look if it can be used for vpopmail.
LFD looks good will take a look at that today.
Thank you for your reply, appreciated

4

BFD also blocks IPs which have tried to login incorrect on POP and IMAP.
We use it and I can confirm that BFD actively blocks it.

You will see in your /etc/apf/deny_hosts.rules file things like

added 123.456.789.1 on 11/23/07 12:30:02

{bfd.pop3d}

123.456.789.1

If somebody is blocked because of incorrect on POP or imap {bfd.imap4d}

5

[quote=WebXtrA;14775]BFD also blocks IPs which have tried to login incorrect on POP and IMAP.
We use it and I can confirm that BFD actively blocks it.

You will see in your /etc/apf/deny_hosts.rules file things like

added 123.456.789.1 on 11/23/07 12:30:02

{bfd.pop3d}

123.456.789.1

If somebody is blocked because of incorrect on POP or imap {bfd.imap4d}[/quote]

found the problem
BFD is blocking ssh and proftp but not showing its blocking pop or imap
looks like path in rules are incorrect.
thank you