[TriLUG] defense against dictionary attacks?
Jon Carnes
jonc at nc.rr.com
Fri Jun 25 16:29:24 EDT 2004
On Fri, 2004-06-25 at 16:14, Aaron S. Joyner wrote:
> In general, we see an awful lot of dictionary attacks here at Intrex,
> and it's not something we process the logs or firewall against to
> block. Be very careful with setting up automated systems that monkey
> with your firewall rules, it can have very unfortunate results if
> someone decides to exploit the way you have it setup, and even more
> likely, accidents and floods of mail to users who don't exist do happen
> naturally. Twould be bad to block yahoo or aol because some newbie on
> their service made a few typos or cut-n-pasted his mother's address
> wrong 50 times into his forwarding list (stranger things have happened).
>
> Also, note that processing the logs during a dictionary attack can get
> very processor-intensive, especially if you're not careful in your regex
> writing (I didn't even look closely at Jon's example, this in no way
> should be interpreted as a reflection on his code). Just be careful
> that you're not doing more work in defense, than you're saving from the
> minimal overhead of "550 user not found in local recipients table". :)
>
> Either way, I'm curious to hear how it turns out. :)
> Best of luck,
> Aaron S. Joyner
You could expand the earlier script and add a nospamdb file (using ip's
that should be ignored by the script. To do so, simply add a line to
exit the script if the ip is in your nospamdb file:
if (`grep -wq $BADIP nospamdb`); then exit; fi
Also, with a bit of trial and error you can gauge just how many entries
will be in your info file after a minute of being attacked, and instead
of grepping the whole file, you can simply grep the end of the file. To
grep the last 200 entries:
tail -200 $INFO |grep $ENTRIES |grep " 550 " | ...
This is extremely fast and makes the script take under a second to
execute.
Jon
More information about the TriLUG
mailing list