(or where they wrote down the password). This
situation requires a technical solution.
I have been investigating the use of client authentication through SSL. DoD
uses this approach by having the certificates on an ID card and a card reader
on each computer. We don't have the money
On 27/03/2013 4:18 AM, Joseph Olatt wrote:
Any ideas/suggestions on this will be appreciated. Thanks,
-- Doug
A little while back I wrote a system to do a simple Two Factor
Authentication and dynamic manipulation of PF (Packet Filter) Tables. I
created it to prevent brute-force attacks on the
On Tue, 26 Mar 2013 22:56:37 +0100, Daniel O'Callaghan
da...@clari.net.au wrote:
On 27/03/2013 4:18 AM, Joseph Olatt wrote:
Any ideas/suggestions on this will be appreciated. Thanks,
-- Doug
A little while back I wrote a system to do a simple Two Factor
Authentication and dynamic
On 27/03/2013 10:37 AM, Michael Ross wrote:
I'm happy to share a program I wrote which slows down the brute force
attackers.
It simply counts the SYN packets from a given IP and limits the rate
per minute by dropping the packet if they are coming too fast.
Uses ipfw divert sockets, so would
On Wed, 27 Mar 2013 01:37:36 +0100, Daniel O'Callaghan
da...@clari.net.au wrote:
On 27/03/2013 10:37 AM, Michael Ross wrote:
I'm happy to share a program I wrote which slows down the brute force
attackers.
It simply counts the SYN packets from a given IP and limits the rate
per minute by
On 27/03/2013 12:59 PM, Michael Ross wrote:
I'd like to be able to change the time window:
http://gurder.ross.cx/misc/ratelimit.patch
Neat. Thanks for that.
Danny
___
freebsd-questions@freebsd.org mailing list
On Sat, Mar 23, 2013 at 10:16 PM, Doug Hardie bc...@lafn.org wrote:
On 23 March 2013, at 21:51, Mehmet Erol Sanliturk m.e.sanlit...@gmail.com
wrote:
Using Static IP in the client side , and checking Static IP of the user
may be a possibility :
In that way , any message from another IP
On Sun, Mar 24, 2013 at 9:03 AM, CeDeROM cede...@tlen.pl wrote:
Why don't you just use PKI for authentication (you can generate your
own certificates)? You can easily upload keys/certificated to client
machines (PC, Android, Apple, ...). That should work :-)
You can additionally encrypt
On Sat, Mar 23, 2013 at 9:22 PM, Doug Hardie bc...@lafn.org wrote:
Basically, my outgoing mail server is being systematically attacked to try
passwords looking for one that works. When they do find one, we get
inundated by spam sent through that account throughout the world. The
situation
On 24 March 2013, at 01:03, CeDeROM cede...@tlen.pl wrote:
Why don't you just use PKI for authentication (you can generate your
own certificates)? You can easily upload keys/certificated to client
machines (PC, Android, Apple, ...). That should work :-)
Thats exactly what I have been
On 23 March 2013, at 22:59, Mehmet Erol Sanliturk m.e.sanlit...@gmail.com
wrote:
The following steps may be another idea :
Assume that you supply to your users a small login program prepared for them
specifically ( since you are using SSH ) :
Compile that program for each user with a
On Sun, 24 Mar 2013 01:16:33 -0700, Doug Hardie wrote:
On 24 March 2013, at 01:03, CeDeROM cede...@tlen.pl wrote:
Why don't you just use PKI for authentication (you can generate your
own certificates)? You can easily upload keys/certificated to client
machines (PC, Android, Apple, ...).
On 24 March 2013, at 01:10, Waitman Gobble gobble...@gmail.com wrote:
You might consider disabling external smtp auth service and using ssh tunnel
to server to connect to mail. Also provide web based convenience service.
I am not convinced that a ssh tunnel is going to be easy for my
Certificate + Password/PIN should be okay. You can maybe create a
policy for the target system to enable a screensaver to block the
screen after short period that will force user to enter his/hers
password..? I know in theory all seems easy :-) :-) Good luck! :-)
--
CeDeROM, SQ7MHZ,
On 24 March 2013, at 01:22, Polytropon free...@edvax.de wrote:
Wouldn't there be a possibility to combine key _and_ password?
The key shouldn't have to be removed, but it should only work
with a password (which again is kept individual to each user).
The process has to be made more
On Sun, Mar 24, 2013 at 1:21 AM, Doug Hardie bc...@lafn.org wrote:
On 23 March 2013, at 22:59, Mehmet Erol Sanliturk m.e.sanlit...@gmail.com
wrote:
The following steps may be another idea :
Assume that you supply to your users a small login program prepared for
them specifically (
At 11:22 PM 3/23/2013, you wrote:
I am not sure this is the best place to ask this, but I didn't see any other
maillists that seemed more appropriate.
Basically, my outgoing mail server is being systematically attacked to try
passwords looking for one that works.
brute force attacks are easily
been investigating the use of client authentication through SSL.
With certificates you will likely encounter user problems as with passwords:
You can install the certificates in the users keychain, with or without
password protection or protected by the system password. This may
actually be OK
Doug Hardie bc...@lafn.org writes:
That is an interesting idea, but unfortunately our users tend to
travel a lot and need to be able to access mail from anywhere. Also,
static IPs can get quite expensive from some ISPs. Our users are
pretty much on fixed incomes and any expense is a
Doug Hardie wrote:
my outgoing mail server is being systematically attacked to try
passwords looking for one that works. When they do find one,
we get inundated by spam sent through that account throughout the world.
How such spam is injected into your mail relay - via SMTP?
most of our
On Sat, 23 Mar 2013, Doug Hardie wrote:
On 23 March 2013, at 21:51, Mehmet Erol Sanliturk m.e.sanlit...@gmail.com
wrote:
Using Static IP in the client side , and checking Static IP of the user
may be a possibility : In that way , any message from another IP will
not be accepted .
If
On Sun, Mar 24, 2013 at 1:25 AM, Doug Hardie bc...@lafn.org wrote:
On 24 March 2013, at 01:10, Waitman Gobble gobble...@gmail.com wrote:
You might consider disabling external smtp auth service and using ssh
tunnel to server to connect to mail. Also provide web based convenience
How about refusing to
relay mail from addresses in a good DNSBL?
Bad idea. Legitimate users connecting from dynamic IP-addresses is normal.
DNSBLs list a dynamic IP-address permanently
or for long time after a zombied Windows spewed spam from it.
Some DNSBLs warn about that explicitly, for
On 24/03/2013 17:50, Waitman Gobble wrote:
On Sun, Mar 24, 2013 at 1:25 AM, Doug Hardie bc...@lafn.org wrote:
One idea is to run a different server process on 25 which does not do SMTP
AUTH,, then run SMTP AUTH on 465 or 587. I don't really see a reason to
advertise SMTP AUTH on 25, for some
On Sun, 24 Mar 2013 18:59:09 +0200
l...@lena.kiev.ua articulated:
Bad idea. Legitimate users connecting from dynamic IP-addresses is
normal.
I disagree. There is no legitimate reason a user cannot use a bonafide
ISP to send mail. I block dynamic ISPs by default. I have found that
99% of it is
Jerry je...@seibercom.net wrote:
How about refusing to
relay mail from addresses in a good DNSBL?
Bad idea. Legitimate users connecting from dynamic IP-addresses is normal.
I disagree. There is no legitimate reason a user cannot use a bonafide
ISP to send mail.
The talk is about
a technical solution.
I have been investigating the use of client authentication through SSL. DoD
uses this approach by having the certificates on an ID card and a card reader
on each computer. We don't have the money to use that approach no could we
every get our users to spring for that. I
(or where they wrote down the password). This
situation requires a technical solution.
I have been investigating the use of client authentication through SSL.
DoD uses this approach by having the certificates on an ID card and a card
reader on each computer. We don't have the money to use
28 matches
Mail list logo
