To FILTER MAC addresses and/or Internal IP addresses
Posted: 31 Jan 2014, 17:55
I am receiving a lot of penetration attempts from a hugh list of proxies to the Dovecot service
like the following:
2014-01-31 11:43:49 dovecot_login authenticator failed for 68-188-72-60.static.stls_mo-charter_com (192.168.2.33) [68.188.72.60]:3868: 535 Incorrect authentication data (set_id=jacqueline)
This happens all time, for the moment with only a single attacker, and as you can see there is an Internal IP address 192.168.2.33 associated with the proxys, that cannot be blocked.
Suggested Solution: To BLOCK all IP addresses connected to a same Internal Address that tried unsuccessfully to login after some time. Keep in mind that these area distributed attacks.
Another solution would be to filter MAC addresses, entering them after some analysis, with the same criteria as for Internal Addresses. This would be possible for those protocols where MAC addresses can be obtained.
like the following:
2014-01-31 11:43:49 dovecot_login authenticator failed for 68-188-72-60.static.stls_mo-charter_com (192.168.2.33) [68.188.72.60]:3868: 535 Incorrect authentication data (set_id=jacqueline)
This happens all time, for the moment with only a single attacker, and as you can see there is an Internal IP address 192.168.2.33 associated with the proxys, that cannot be blocked.
Suggested Solution: To BLOCK all IP addresses connected to a same Internal Address that tried unsuccessfully to login after some time. Keep in mind that these area distributed attacks.
Another solution would be to filter MAC addresses, entering them after some analysis, with the same criteria as for Internal Addresses. This would be possible for those protocols where MAC addresses can be obtained.