Re: under some kind of attack
mj lists@merit.unu.edu wrote:
- for external users, to ONLY be allowed to use an application specific password. (or username and password, fine as well)
Step one: making ldap password authentication valid only from our internal network. I though: using allow_nets=192.168.1.0/24 for that passdb
But I can't get that to work. :-( Unsure where exactly to define the allow_nets, tried many variations on the theme already.
Perhaps someone can help with the step one, and also tell me if the approach outlined above is smart, valid and do-able in dovecot.
As per my post: checkpassword. You can then use one password on Mondays, Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday fetched from a rot-13 database, and only from prime numbered IP addresses on weekends, if that's what you want.
Gary Sellani lists@lazygranch.com writes:
Not applicable to most installations, but I use geographical filtering on all ports other than 25. Fine if you are the only user of the email system.
If you're the only user, moving the IMAP/POP service to a nonstandard port will do most of that with much less bother, and you won't lock yourself out, requiring a ssh/edit firewall/reconnect. Been there, done that.
I get one hacker a week trying to guess passwords, and always from Digital Ocean VPS.
abuse@digitalocean.com is fairly responsive. They usually nuke them pretty quickly.
I would like to see statistics on the success of such brute force attacks. They can't be very successful these days.
Even if the success rate is 0.00001%, you can do the arithmetic to see that's still a huge number of accounts. But you're right, if you have anything resembling a sensible password policy, they're just a log bloating nuisance.
Joseph Tam jtam.home@gmail.com
Hi Joseph,
On 07/21/2017 10:17 PM, Joseph Tam wrote:
As per my post: checkpassword. You can then use one password on Mondays, Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday fetched from a rot-13 database, and only from prime numbered IP addresses on weekends, if that's what you want.
Having read the wiki page on checkpassword, I am unsure how this would work with an ldap backend.
Could you elaborate on that?
Best, MJ
participants (2)
-
Joseph Tam
-
mj