A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

How to block attacks on a POP port?



 
 
Thread Tools Display Modes
  #1  
Old October 8th 12, 09:04 AM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default How to block attacks on a POP port?

We have a server running on an ADSL line, and frequently it gets hit
by dictionary attacks, which makes in almost unusable.

It is a FreeBSD machine, with the standard firewall.

The chap who looks after it is very time-limited, so I am looking for
something that can be done simply.

One cannot limit access to specific IPs because I need to access it
while travelling, over 3G etc.

The currently active attack is from the USA, 216.215.91.62, so
blocking countries is not a good idea either...

Is there a login time delay which would help, or are they just sending
in loads of packets regardless of the login response time?

Is there an easy way to detect what is obviously an attack, from a
single IP, from that port, and block that IP for ever?
  #2  
Old October 8th 12, 09:10 AM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default How to block attacks on a POP port?

Peter wrote:
We have a server running on an ADSL line, and frequently it gets hit
by dictionary attacks, which makes in almost unusable.

It is a FreeBSD machine, with the standard firewall.

The chap who looks after it is very time-limited, so I am looking for
something that can be done simply.

One cannot limit access to specific IPs because I need to access it
while travelling, over 3G etc.

The currently active attack is from the USA, 216.215.91.62, so
blocking countries is not a good idea either...

Is there a login time delay which would help, or are they just sending
in loads of packets regardless of the login response time?

there is very little to be done really. There are scan bots which look
for any open port on any machine and try and crack it..

The only way to really solve this is to use some arcane secure tunneling
- but that still wont stop DOS attacks or ping floods from wrecking your
bandwidth,.


Is there an easy way to detect what is obviously an attack, from a
single IP, from that port, and block that IP for ever?


Nope.

In the end get your own well connected (virtual) server in someone's
machine room sitting on some hot bandwidth.


--
Ineptocracy

(in-ep-toc'-ra-cy) - a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
  #3  
Old October 8th 12, 09:21 AM posted to uk.telecom.broadband
[email protected]
external usenet poster
 
Posts: 1
Default How to block attacks on a POP port?

However, it seems so "obvious" that this is an attack. Is there really no firewall module that can block these IPs on the basis of timing alone?
  #5  
Old October 8th 12, 11:17 AM posted to uk.telecom.broadband
Roderick Stewart
external usenet poster
 
Posts: 135
Default How to block attacks on a POP port?

In article , Peter wrote:
We have a server running on an ADSL line, and frequently it gets hit
by dictionary attacks, which makes in almost unusable.

[...]
The currently active attack is from the USA, 216.215.91.62, [...]


You could write to them perhaps...

CustName: SOUTHBELT PHARMACY
Address: 11914 ASTORIA BLVD
City: HOUSTON
StateProv: TX
PostalCode: 77089
Country: US
RegDate: 2006-12-07
Updated: 2011-03-19
Ref: http://whois.arin.net/rest/customer/C01513447

--

  #6  
Old October 8th 12, 12:21 PM posted to uk.telecom.broadband
Bob Eager
external usenet poster
 
Posts: 177
Default How to block attacks on a POP port?

On Mon, 08 Oct 2012 01:21:10 -0700, peter.holy wrote:

However, it seems so "obvious" that this is an attack. Is there really
no firewall module that can block these IPs on the basis of timing
alone?


Look at the fail2ban port.



--
Use the BIG mirror service in the UK:
http://www.mirrorservice.org

*lightning protection* - a w_tom conductor
  #7  
Old October 8th 12, 02:16 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default How to block attacks on a POP port?


Bob Eager wrote

On Mon, 08 Oct 2012 01:21:10 -0700, peter.holy wrote:

However, it seems so "obvious" that this is an attack. Is there really
no firewall module that can block these IPs on the basis of timing
alone?


Look at the fail2ban port.


It looks interesting indeed, but is probably ineffective where a) the
attack comes from bots (and their wiki entry says as much) and b) the
downlink speed is very high (as with a mail server running on ADSL)
and is thus easily saturated.

One attack this morning lasted just 1hr, from a particular IP.

We have discussed it here and have decided that there isn't much we
can do...

A partial solution might be to block port 110 packets from countries
to which I am never likely to travel to, and block them in the router,
not in the server firewall. But they aren't going to be simple IP
lists, are they? The router (Draytek 2955) can't store that much
stuff.
  #8  
Old October 8th 12, 04:05 PM posted to uk.telecom.broadband
Adrian C
external usenet poster
 
Posts: 440
Default How to block attacks on a POP port?

On 08/10/2012 14:16, Peter wrote:

A partial solution might be to block port 110 packets from countries
to which I am never likely to travel to, and block them in the router,
not in the server firewall. But they aren't going to be simple IP
lists, are they? The router (Draytek 2955) can't store that much
stuff.


Stick the POP port accessible inside your internal network, and connect
to that via a VPN tunnelled connection. Having it public is your headache?

--
Adrian C





  #9  
Old October 8th 12, 04:22 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default How to block attacks on a POP port?

Adrian C wrote:
On 08/10/2012 14:16, Peter wrote:

A partial solution might be to block port 110 packets from countries
to which I am never likely to travel to, and block them in the router,
not in the server firewall. But they aren't going to be simple IP
lists, are they? The router (Draytek 2955) can't store that much
stuff.


Stick the POP port accessible inside your internal network, and connect
to that via a VPN tunnelled connection. Having it public is your headache?

That is the best solution so far. Wont stop the link being hammered, but
at least there's no port 110 to attract the wasps..



--
Ineptocracy

(in-ep-toc'-ra-cy) - a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
  #10  
Old October 8th 12, 04:26 PM posted to uk.telecom.broadband
Chris Davies
external usenet poster
 
Posts: 444
Default How to block attacks on a POP port?

Peter wrote:
We have a server running on an ADSL line, and frequently it gets hit
by dictionary attacks, which makes in almost unusable.


It is a FreeBSD machine, with the standard firewall.


Is there an easy way to detect what is obviously an attack, from a
single IP, from that port, and block that IP for ever?


Fail2ban should be able to help. (It looks for trigger lines in one of the
logfiles and blocks the corresponding IP address for a period of time.)

Chris
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How do ISPs and/or 3-G services block VOIP, is it by port number? [email protected] uk.telecom.voip (UK VOIP) 3 October 8th 12 12:13 PM
SIP attacks on SPA Mark uk.telecom.voip (UK VOIP) 8 November 14th 10 09:56 AM
Man In The Middle Attacks Insert Random Name Here uk.telecom.broadband (UK broadband) 2 September 26th 07 01:38 PM
Are these attacks or bittorrent? [email protected] uk.comp.home-networking (UK home networking) 0 January 24th 06 06:34 PM
How to monitor attacks against my IP? zeebop uk.telecom.broadband (UK broadband) 8 July 26th 03 08:11 PM


All times are GMT +1. The time now is 08:22 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.