[Dovecot] SSL renegotiation vulnerability

Robert Schetterer robert at schetterer.org
Thu Oct 27 12:12:58 EEST 2011


Am 27.10.2011 10:25, schrieb Ed W:
> On 26/10/2011 10:01, Robert Schetterer wrote:
>> the most problem is see , not everybody can use fail2ban on his servers
>> by keeping out dummy auth users over nat ( I have such case )
>>
>> anyway ,firewalls should slow down ddos attacks, which might cause other
>> problems then *g, but for sure not from one ip
> ...
>>
>> just a few thoughts..,for sure ,best way would be, getting it fixed
> 
> If you google (I think it was on slashdot), I saw a couple of posts with
> a simple iptables rule with some rate limits attached to it.  Clearly
> you could also read the iptables instructions and figure it out for
> yourself, but just highlighting that even the footwork has been done if
> you want copy/paste

i just read it, but its my understanding, that this isnt solving the
real Problem, also these rules cant used everywhere by tec layout reasons
however youre right, this might help where using it is possible

> 
> I think it's generally not such a bad idea to say limit tcp connections
> per second from a source IPs.  There are plenty of big services that
> might not be able to implement this as a blanket, but for many shops it
> could probably be just added as a default for the server...

we have a big firewall before all server, it does rate con, but
in heavy attacks, this can take off the whole farm, cause every firewall
has its limits too, also the problem may involve core routers etc
every big attack has to be analysed and reacted, there is reason to do
something better ever, but there never be a safe world in www *g
> 
> Cheers
> 
> Ed W


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria


More information about the dovecot mailing list