On 2021-07-18 at 06:43:51 UTC-0400 (Sun, 18 Jul 2021 12:43:51 +0200)
Slavko via mailop <li...@slavino.sk>
is rumored to have said:
[...]
The only usable way seems to be GoiIP blocking countries, but i afraid
that it is wrong way.
Why?
If you have no users who need to authenticate from a particular network,
there's no need to allow access from that network. If knowing where a
network is based helps you make an accurate estimation of whether access
from that network is needed, what's wrong with that?
On one small mail server I manage, I have 346 IPv4 networks blocked from
all ports that expose any password-based authentication, with some of
those being /6 networks. None of the users of that system need to use
IMAP, POP, or mail submission from cloud server networks or random parts
of of other continents. On an everyday basis, all valid authentication
attempts come from US and Canadian mobile networks, a handful of retail
access providers, and a regionally limited collection of office
networks. For the rare cases where users need to connect from random
places, I have a 'web knocking' rig to poke holes as needed.
The whole attack took about 5-6 hours. I will
continue to investigate weakforced for future as i feel, that it is
not
real end, only pause...
Anyway, despite of all words about Kerckhoffs's principle, using the
same email address as login name seems to be wrong approach (as
someone
pointed already), because without valid username no password will
match
and thus knowing username saves 50 % of the attacker work. Thus while
username is not secret, not revealing it can help... Of course, to
hide
username is not (enough) security method.
Not using the email login identity as an actual email address is very
useful in preventing *successful* account cracking, but it does not
prevent the steady stream of doomed authentication attempts.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
