[Dovecot] POP3 dictionary attacks
mouss
mouss at netoyen.net
Mon Aug 18 23:39:09 EEST 2008
Bruce Bodger wrote:
>
> On Aug 15, 2008, at 5:39 PM, Charles Marcus wrote:
>
>> You're kidding, right?
>>
>> Dictionary attacks are a fact of life these days.
>>
>> Just install some kind of blocking on your firewall (fail2ban is a good
>> one), and let it take care of the worst of it...
>
just make sure to get the expressions right.
> fail2ban will not work for this as the incoming ip addresses are
> spoofed. fail2ban would end up blocking legitimate servers.
It doesn't matter. if a tcp attack involves a (remote) IP, you can block
that IP (for some period of time). there's nothing else you can do
unless you're ready to let it test all possible login:password pairs
until it succeeds.
in particular, if this is an asymetric routing attack, then the attacker
has some control of the remote IP or of its network. in which case, the
IP is "dirty".
as for tcp hijacking, this is not so simple, and if it becomes easy,
then we have a more serious problem than pop or smtp security...
More information about the dovecot
mailing list