Re: Firewall, blocking POP3

Sun, 03 Jun 2012 14:05:54 -0700 

At 07:18 PM 5/30/2012, Robert Bonomi wrote:

> From jbiq...@intranet.com.mx  Wed May 30 13:48:05 2012
> Date: Wed, 30 May 2012 13:47:34 -0500
> To: Robert Bonomi <bon...@mail.r-bonomi.com>
> From: Jorge Biquez <jbiq...@intranet.com.mx>
> Subject: Re: Firewall, blocking POP3
> Cc: freebsd-questions@freebsd.org
>
> Hello.
>
> Thanks a lot!. Simple an elegant solution.
>
> I just did that and of course it worked.... I just was wondering...
> what if I need to have the service working BUT want to block those
> break attemps? IN this and other services. ?
> My guess is that it is a never ending process? I mean, block one,
> block another, another, etc?

If one knows the address-blocks that legitimate customers will be using,
one can block off access from 'everywhere else'.

> What the people who has big servers running for hosting services are
> doing? Or you just have a policy of strng passworrds, server
> up-todate and let the attemps to try forever?

There are tools like 'fail2ban' that can be used to lock out persistant
doorknob-rattlers.

Also, one can do things like allow mail access (POP, IMAP, 'whatever')
only via a port that is 'tunneled' through an SSH/SSL connection.

This eliminates almost all doorknob rattling on the mail access ports,
but gets lots of attempts on the SSH port.  Which is generally not a
problem, since the SSH keyspace is vastly larger, and more evenly
distributed, than that for plaintext passwords.

To eliminate virtually all the 'noise' from SSH doorknob-rattling, run
it on a non-standard port.  This does =not= increase the actual security
of the system, but it does greatly reduce the 'noise' in the logs -- so
any actual attack attempt is much more obvious.
You can use /etc/hosts.allow to list your "friendly" IP's allowed by protocol. This provides an easy way to block all foreign users. You can use wildcards in this file, so if you need to allow users in for POP access from an ISP, you can do that.
Also, if you do have wide array of addresses you need to let in, you may want to put the email services in a jail. 

-Derek

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to