Logo address




plisten is a protected listen for Plan9 that is designed to protect server from brute force attack.
plisten is available in http://plan9.aichi-u.ac.jp/netlib/plisten/

Brute force attack


attacks to POP3 server

The IPs in the following list have attempted to steal passwords by brute force attack to my POP3 server.
They are taken from log file starting from 2013/06/03 to 2013/11/14.

DNS names of some of these IPs are unknown (unregistered).
Others are listed below:

rrcs-108-176-54-138.nyc.biz.rr.com steelf13.lnk.telstra.net HOST1.ASISHOST.COM ded4u.com gandylab.arvixevps.com 184-82-171-202.static.hostnoc.net next-solutions-38.v4.nextsolutions.net.br r243-pw-passacinco.ibys.com.br 187-44-14-35.mastercabo.com.br 187-75-163-52.dsl.telesp.net.br voip.prima.sm relay.goldenniva.ru host- host- 74-115-52-198-dedicated.multacom.com unknown-client.static.huge-dns.com 200-161-81-225.dsl.telesp.net.br 200-206-180-160.dsl.telesp.net.br 200-54-196-2.static.tie.cl dbdistribuidora114.static.gvt.net.br h202-203-73-140.topvision.com.tw sah1.sah.com.tr wsip-24-120-131-168.lv.lv.cox.net rrcs-24-123-136-90.central.biz.rr.com abs-static- host- 5-12-140-214.residential.rdsnet.ro static-63-131-47-2.gra.onecommunications.net web01.nessit.net 64-199-111-26.ip.mcleodusa.net 9-49-31-64.static.reverse.lstn.net adsl-065-081-088-190.sip.cha.bellsouth.net 66-214-252-242.static.gldl.ca.charter.com 69-11-98-246.sktn.hsdb.sasknet.sk.ca mail.ederm.com gw.pilecky.cz tru75-4-82-227-169-194.fbx.proxad.net ood123.internetdsl.tpnet.pl 45.Red-83-35-218.dynamicIP.rima-tde.net ginestra.static.otenet.gr 87-126-81-49.btc-net.bg ptr.73.startdedicated.pw ptr.77.startdedicated.pw ptr.93.startdedicated.pw 90-227-101-224-no21.business.telia.com 84.99-183-91.adsl-static.isp.belgacom.be ip81-79.mwtv.lv 95-170-88-226.colo.transip.net adsl-99-16-218-201.dsl.sndg02.sbcglobal.net

Some of them are web servers that does "software download service"!

attacks to ssh server

Of cource, we observe much more attacks to tcp22 (ssh port).
My log shows 2535 unique IPs that tried this port during the period from 2013/03/14 to the present(2013/11/23).
So many IPs to list up!

get list of these IPs

The observation shows that some of them tried a hundred password and then went away without looking "Reject" message from my server.

Protected Listner


We have plisten (protected listen) and plisten1 (protected listen1).
Both listen and listen1 are listeners for Plan9.

How To Protect

Both plisten and plisten1 check the IP of requester.
The steps are as follows:
(1) if it is burst access then reject
(2) if (it is not in accept_database) and (it is in reject_database) then reject
(3) start a subprocess for the connection
That is, step (1) and (2) are added in Plan9 official listen and listen1.

The definition of burst access:
trials more than maxconnect in a given time (10 seconds).
the maxconnect is given in command option.

For simplicity, directories /sys/log/accept and /sys/log/reject are used in place of accept_database and reject_database.

File names in these directories are the IPs to accept or reject.
Therefore you can register to accept_database by

	touch /sys/log/accept/

pop3 before connection

Pop3 is the only way for a remote (non Plan9) user to register himself to accept_database.
Many authentication failures will let him to be registered in reject_database.

The code below is tcp110:


' r=`{cat $3/remote} l=`{cat $3/local} {ip_local=$l(1) ip=$r(1) p=$l(2)}

if(test -e /sys/log/reject/$ip){
	/usr/local/bin/386/logit -l pop3 Rejected $ip
	echo '-ERR Rejected'

if(test -e /sys/log/accept/$ip){

w=`{tail -10 /sys/log/pop3 | grep 'Fail '$ip | wc}

if(test $w(1) -gt 5){
	touch /sys/log/reject/$ip
	/usr/local/bin/386/logit -l pop3 List $ip
	echo '-ERR Rejected'

/$cputype/bin/alarm 60 /$cputype/bin/upas/pop3

# /sys/log/pop3 is something like:
# old pop3 message:
# ar Apr  8 14:56:50 user arisawa logged in
# new pop3 message:
# ar Apr  8 14:56:50 user arisawa OK
a=`{tail -1 /sys/log/pop3}
if(~ $a(7) OK && ~ $a(8) $ip){
	touch /sys/log/accept/$ip

/usr/local/bin/386/logit -l pop3 Fail $ip


Other services are rejected unless the requesting IP is in accept_database.


' r=`{cat $3/remote} l=`{cat $3/local} {ip=$r(1) p=$l(2)}

if(test -e /sys/log/accept/$ip){
	exec /bin/aux/sshserve -A 'tis password' `{cat $3/remote} >>[2]/sys/log/ssh

echo Rejected

/usr/local/bin/386/logit -l honeypot $p $ip


You need to change pop3.c so that the script tcp110 can work.

	if(newns(user, 0) < 0){
		senderr("newns failed: %r; server exiting");
-	syslog(0, "pop3", "user %s logged in", user);
+	syslog(0, "pop3", "user %s OK %s", user, peeraddr);