Mailing List CGatePro@mail.stalker.com Message #105719
From: Shaun Gamble <listrdr@redco.com.au>
Subject: IP blocking
Date: Thu, 16 Jul 2015 12:03:47 +1000
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
CGP 6.1.2 x64  Windows 2012

Block after 5 failed logins in 5 minutes
                    5 protocol errors in 10 minutes

Blocking time 2 hours
Blocked Address Limits 30000

Why is this IP not being blocked? I have had dictionary attacks through SMTP, POP and SIP for the last week. Either I have a setting incorrect somewhere or CGP is not doing its job. This IP kept up this attack for 10 minutes. The originator was switching IPs it was using every 10 minutes. So entering the IP manually into the denied IP address is too late and a waste of time. It needs to occur when the attack is occurring. The blocking time can be increased if they use the same IP again.

Below is a very small sample from the log.

20:24:00.938 1 POP-232729([122.155.16.155]:53698) failed to open ACCOUNT(littleannie) for [122.155.16.155]:53698->[myip]:110. Error Code=account is routed to NULL
20:24:01.605 1 POP-232730([122.155.16.155]:54214) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54214->[myip]:110. Error Code=account is routed to NULL
20:24:02.280 1 POP-232731([122.155.16.155]:54307) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54307->[myip]:110. Error Code=account is routed to NULL
20:24:02.965 1 POP-232732([122.155.16.155]:54409) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54409->[myip]:110. Error Code=account is routed to NULL
20:24:03.685 1 POP-232733([122.155.16.155]:54499) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54499->[myip]:110. Error Code=account is routed to NULL
20:24:04.448 1 POP-232734([122.155.16.155]:54604) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54604->[myip]:110. Error Code=account is routed to NULL
20:24:05.206 1 POP-232735([122.155.16.155]:54720) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54720->[myip]:110. Error Code=account is routed to NULL
20:24:05.917 1 POP-232736([122.155.16.155]:54844) failed to open ACCOUNT(liu) for [122.155.16.155]:54844->[myip]:110. Error Code=account is routed to NULL
20:24:06.639 1 POP-232737([122.155.16.155]:54960) failed to open ACCOUNT(liu) for [122.155.16.155]:54960->[myip]:110. Error Code=account is routed to NULL
20:24:07.366 1 POP-232738([122.155.16.155]:55058) failed to open ACCOUNT(liu) for [122.155.16.155]:55058->[myip]:110. Error Code=account is routed to NULL
20:24:08.087 1 POP-232739([122.155.16.155]:55160) failed to open ACCOUNT(liu) for [122.155.16.155]:55160->[myip]:110. Error Code=account is routed to NULL
20:24:08.824 1 POP-232740([122.155.16.155]:55276) failed to open ACCOUNT(liu) for [122.155.16.155]:55276->[myip]:110. Error Code=account is routed to NULL
20:24:09.502 1 POP-232741([122.155.16.155]:55375) failed to open ACCOUNT(liu) for [122.155.16.155]:55375->[myip]:110. Error Code=account is routed to NULL

The above IP does not ever get blocked.

When the attack finds a legit email address and tries to use the password to authenticate, then the IP blocking occurs (different IP address as it had switched, very small portion of the log which occurs for about 10 minutes):

23:30:12.656 1 POP-238481([159.226.89.27]:40626) failed to open ACCOUNT(mail) for [159.226.89.27]:40626->[myip]:110. Error Code=account is routed to NULL
23:30:13.985 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:41212 failed. Error Code=incorrect password
23:30:22.695 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:42318 failed. Error Code=incorrect password
23:30:31.377 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:43885 failed. Error Code=incorrect password
23:30:40.054 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:45466 failed. Error Code=incorrect password
23:30:43.519 1 ACCOUNT(legituser) login(POP) from [159.226.89.27]:46196 failed. Error Code=incorrect password
23:30:48.860 1 POP-238539([159.226.89.27]:46196) [159.226.89.27] temporarily blocked on login failure

Yay but 10 minutes too late and the attacker now knows a legit email address to try. It shouldn't be able to get to this stage. What am I missing??

Another question which may be a better solution, I do not require POP access from IPs other than client IPs. So how do I block POP connections from non-client IPs?

--

Shaun
Fitzroy Island <http://www.fitzroyisland.com>
Destination Darwin NT <http://www.destinationnt.com>
MOM Backpackers <http://www.momdarwin.com>
Value Inn Hotel <http://www.valueinn.com.au>
Please do not send any unsolicited email. It is not wanted.

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster