On Aug 16, 2008, at 11:14 AM, Mark Sapiro wrote:
Exactly. These days, IP spoofing is most useful to hide the identity of the perpetrator of a DoS attack. It certainly is not applicable to a dictionary attack on POP3 or other logins since with a spoofed
IP, the perpetrator will never see the response to determine if the login attempt was successful.I stand corrected... sorry. I was thinking of an http cross-site attack which also seems popular now-a-days.
So if I read you right then you would consider the IP address shown in the original thread post..
dovecot: Aug 15 04:15:45 Error: auth-worker(default): pam(mike, 216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:49 Error: auth-worker(default): pam(alan, 216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:53 Error: auth-worker(default): pam(info, 216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Aug 15 04:15:57 Error: auth-worker(default): pam(shop, 216.31.146.19): pam_authenticate() failed: User not known to the underlying authentication module
..216.31.146.19, to be a party to the attack and therefore a candidate for locking out?
Yes. I do it (with my own script, not fail2ban, but it works the same way).
Thank you for the clarification.
B. Bodger