[CentOS] Dealing with brute force attacks

Thu May 14 14:46:34 UTC 2009
James B. Byrne <byrnejb at harte-lyne.ca>

Over the weekend one of our servers at a remote location was
hammered by an IP originating in mainland China.  This attack was
only noteworthy in that it attempted to connect to our pop3 service.

We have long had an IP throttle on ssh connections to discourage
this sort of thing.  But I had not considered the possibility that
other services were equally at risk.  Researching this on the web
does not reveal any comprehensive list of vulnerable ports or
services.  Most discussion centres on ssh, then some on ftp, and
relatively few regarding pop3.

So, my questions are these:

1. Should I throttle all new connections regardless of destination
ports?  In other words: are there any legitimate reasons that a
single IP would require more than one new connection every 30
seconds or so?

2. Moving pass the obvious and unhelpful "everything", what services
are particularly vulnerable to these types of attacks?  Does a list
exist anywhere?

Regards,

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3