On 30.8.2013, at 20.54, Michael Smith (DF) wrote:
> We're already running fail2ban, but it doesn't seem that effective against
> botnets, when they only do one attempt per IP. Add that on top of load
> balancing between many servers... We've setup some rules to help, but still
> not that gre
On 9/3/2013 5:12 AM, Charles Marcus wrote:
>
> Ummm... maybe you didn't read what I wrote? That is what I meant
> by 'whitelist' in item 1... ;)
>
Yes, I think we're on the same page.
>
> On 2013-09-02 9:59 PM, ot...@ahhyes.net wrote:
>> Is there anyway to limit the number of auth attempts allow
On 2013-09-02 5:11 PM, Noel wrote:
It would be a lot easier to deploy if some sort of blocker were
built into dovecot -- after X number of failures during Y seconds,
fail all future attempts for the account for T seconds.
But again, totally blocking all AUTH attempts like that even blocks
val
On 9/2/2013 8:35 AM, Charles Marcus wrote:
> 2. A blacklist that when triggered (x failed login attempts in x
> seconds), doesn't try to block the IP, but rather prevents login
> attempts for that user account from even reaching the AUTH stage -
> *unless* the IP in question is in the whitelist.
>
On 2013-09-02 9:35 AM, Charles Marcus wrote:
Well, it would be nice to have some way to stop brute force attacks
(rather than just letting one run rampant until the attacker gives up)
And I left out the obvious "... or worst case, is successful ..." -
which obviously is why we are having this
On 2013-09-02 4:12 AM, Stan Hoeppner wrote:
As others have suggested this seems a log clutter issue, nothing more.
Well, it would be nice to have some way to stop brute force attacks
(rather than just letting one run rampant until the attacker gives up) -
ie, attempted FAILED logins to the s
On 2013-09-01 3:59 PM, Noel wrote:
The objective of Stan's list is to reject dynamic hosts, because the
overwhelming majority of dynamic hosts trying to send via SMTP are
zombies.
For dovecot, the situation is quite different. Blocking all dynamic
IPs would be an obvious mistake.
Oops... you'
On 9/1/2013 2:59 PM, Noel wrote:
> On 9/1/2013 10:00 AM, Charles Marcus wrote:
...
>> Wonder if there's a way to leverage Stan Hoeppner's most excellent
>> botnet killer to reject AUTHs from the same types of clients
>> before they even try?
>
> The objective of Stan's list is to reject dynamic hos
On 9/1/2013 10:00 AM, Charles Marcus wrote:
> On 2013-08-30 7:55 PM, Joseph Tam wrote:
>> Michael Smith writes:
>>
>>> We're already running fail2ban, but it doesn't seem that effective
>>> against botnets, when they only do one attempt per IP.
>>
>> Yeah, distributed BFDs are tough to block unles
On 01 Sep 2013, at 09:00 , Charles Marcus wrote:
> On 2013-08-30 7:55 PM, Joseph Tam wrote:
>> Michael Smith writes:
>>
>>> We're already running fail2ban, but it doesn't seem that effective
>>> against botnets, when they only do one attempt per IP.
>>
>> Yeah, distributed BFDs are tough to blo
On 2013-08-30 7:55 PM, Joseph Tam wrote:
Michael Smith writes:
We're already running fail2ban, but it doesn't seem that effective
against botnets, when they only do one attempt per IP.
Yeah, distributed BFDs are tough to block unless you can characterize
the clients well.
Wonder if there's
Michael Smith writes:
We're already running fail2ban, but it doesn't seem that effective
against botnets, when they only do one attempt per IP.
Yeah, distributed BFDs are tough to block unless you can characterize
the clients well.
That leaves us back to getting dovecot to log the tried pass
mer and/or force a password change
before the account is used to send hundreds of thousands of spam.
-Original Message-
From: dovecot-boun...@dovecot.org [mailto:dovecot-boun...@dovecot.org] On
Behalf Of Joseph Tam
Sent: Thursday, August 22, 2013 11:30 PM
To: dovecot@dovecot.org
Subject
"Michael Smith (DF)" writes:
Or another option, is there any good DNS based RBLs for botnet IPs, and
is there any way to tie that in to the dovecot auth system? I've been
looking for botnet rbls, but what I've found so far doesn't seem to
work very well. Most of the IPs that I've had to firewal
Have you or anyone else tried fail2ban?
I haven't had any break-in attempts since going to Dovecot yet, But with
qpopper it didn't work very well unless it hit an actual user on the server.
Then it would block the IP for a predetermined set amount of hits on
that username then it block for the t
On Thu, Aug 22, 2013 at 04:16:51PM +, Michael Smith (DF) wrote:
> Or another option, is there any good DNS based RBLs for botnet IPs,
> and is there any way to tie that in to the dovecot auth system?
> I've been looking for botnet rbls, but what I've found so far
> doesn't seem to work very
Hi,
Since upgrading our mail servers to Postfix/Dovecot, we've seen a rather large
increase in botnet brute force password attacks. I guess our old servers were
too slow to suit their needs.
Now, when they hit upon a valid user, it's easy to see what passwords they are
trying (we've enabled a
17 matches
Mail list logo