[Dovecot] POP3 dictionary attacks

mouss mouss at netoyen.net
Mon Aug 18 23:39:09 EEST 2008


Bruce Bodger wrote:
> 
> On Aug 15, 2008, at 5:39 PM, Charles Marcus wrote:
> 
>> You're kidding, right?
>>
>> Dictionary attacks are a fact of life these days.
>>
>> Just install some kind of blocking on your firewall (fail2ban is a good
>> one), and let it take care of the worst of it...
> 

just make sure to get the expressions right.

> fail2ban will not work for this as the incoming ip addresses are 
> spoofed.  fail2ban would end up blocking legitimate servers.

It doesn't matter. if a tcp attack involves a (remote) IP, you can block 
that IP (for some period of time). there's nothing else you can do 
unless you're ready to let it test all possible login:password pairs 
until it succeeds.

in particular, if this is an asymetric routing attack, then the attacker 
has some control of the remote IP or of its network. in which case, the 
IP is "dirty".

as for tcp hijacking, this is not so simple, and if it becomes easy, 
then we have a more serious problem than pop or smtp security...


More information about the dovecot mailing list