[Dovecot] Applying a DNS RBL to deny authentication?
Robert Schetterer
rs at sys4.de
Tue Feb 4 18:33:15 UTC 2014
Am 04.02.2014 18:40, schrieb Marc Perkel:
> Hope to get some attention about this idea to reduce hacking passwords.
>
> Here is a list of about 700,000 IP addresses that are hacking passwords
> through SMTP AUTH
>
> http://ipadmin.junkemailfilter.com/auth-hack.txt
>
> This is a list of IP addresses that attempted to authenticate against my
> fake AUTH advertizing on servers with no authentication. We do front end
> spam filtering for thousands of domains and I decided to advertize
> authentication where there is none and I accept and blackhole all
> authenticated email to those servers. I have harvested the IP addresses
> in this list that is available through an RBL.
>
>
> It seems to me that a nice dovecot feature would be the ability to do a
> black list check against IP addresses connecting and deny access if listed.
http://wiki2.dovecot.org/Authentication/RestrictAccess
but you could add them in a firewall too
>
> Thoughts?
>
>
i think you know the problems of rbls very well, in case of imap/pop
a false postive may high support extremly, also think of nat users
i prefer more dynamic and flexibel solutions, like fail2ban etc
so your honeypot ips are fine , but shouldnt be widly used/match for
everybody needs
perhaps it might be better ,use them in a more "score" or monitoring /
alarming system combined with other data
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the dovecot
mailing list