On 30.8.2013, at 20.54, Michael Smith (DF) msm...@datafoundry.com wrote:
We're already running fail2ban, but it doesn't seem that effective against
botnets, when they only do one attempt per IP. Add that on top of load
balancing between many servers... We've setup some rules to help, but
On 2013-09-02 5:11 PM, Noel noeld...@gmail.com wrote:
It would be a lot easier to deploy if some sort of blocker were
built into dovecot -- after X number of failures during Y seconds,
fail all future attempts for the account for T seconds.
But again, totally blocking all AUTH attempts like
On 9/3/2013 5:12 AM, Charles Marcus wrote:
Ummm... maybe you didn't read what I wrote? That is what I meant
by 'whitelist' in item 1... ;)
Yes, I think we're on the same page.
On 2013-09-02 9:59 PM, ot...@ahhyes.net ot...@ahhyes.net wrote:
Is there anyway to limit the number of auth
On 9/1/2013 2:59 PM, Noel wrote:
On 9/1/2013 10:00 AM, Charles Marcus wrote:
...
Wonder if there's a way to leverage Stan Hoeppner's most excellent
botnet killer to reject AUTHs from the same types of clients
before they even try?
The objective of Stan's list is to reject dynamic hosts,
On 2013-09-01 3:59 PM, Noel noeld...@gmail.com wrote:
The objective of Stan's list is to reject dynamic hosts, because the
overwhelming majority of dynamic hosts trying to send via SMTP are
zombies.
For dovecot, the situation is quite different. Blocking all dynamic
IPs would be an obvious
On 2013-09-02 4:12 AM, Stan Hoeppner s...@hardwarefreak.com wrote:
As others have suggested this seems a log clutter issue, nothing more.
Well, it would be nice to have some way to stop brute force attacks
(rather than just letting one run rampant until the attacker gives up) -
ie, attempted
On 2013-09-02 9:35 AM, Charles Marcus cmar...@media-brokers.com wrote:
Well, it would be nice to have some way to stop brute force attacks
(rather than just letting one run rampant until the attacker gives up)
And I left out the obvious ... or worst case, is successful ... -
which obviously
On 9/2/2013 8:35 AM, Charles Marcus wrote:
2. A blacklist that when triggered (x failed login attempts in x
seconds), doesn't try to block the IP, but rather prevents login
attempts for that user account from even reaching the AUTH stage -
*unless* the IP in question is in the whitelist.
The
On 2013-08-30 7:55 PM, Joseph Tam jtam.h...@gmail.com wrote:
Michael Smith writes:
We're already running fail2ban, but it doesn't seem that effective
against botnets, when they only do one attempt per IP.
Yeah, distributed BFDs are tough to block unless you can characterize
the clients well.
On 01 Sep 2013, at 09:00 , Charles Marcus cmar...@media-brokers.com wrote:
On 2013-08-30 7:55 PM, Joseph Tam jtam.h...@gmail.com wrote:
Michael Smith writes:
We're already running fail2ban, but it doesn't seem that effective
against botnets, when they only do one attempt per IP.
Yeah,
On 9/1/2013 10:00 AM, Charles Marcus wrote:
On 2013-08-30 7:55 PM, Joseph Tam jtam.h...@gmail.com wrote:
Michael Smith writes:
We're already running fail2ban, but it doesn't seem that effective
against botnets, when they only do one attempt per IP.
Yeah, distributed BFDs are tough to block
hundreds of thousands of spam.
-Original Message-
From: dovecot-boun...@dovecot.org [mailto:dovecot-boun...@dovecot.org] On
Behalf Of Joseph Tam
Sent: Thursday, August 22, 2013 11:30 PM
To: dovecot@dovecot.org
Subject: Re: [Dovecot] Logging passwords on auth failure/dealing with botnets
Michael Smith writes:
We're already running fail2ban, but it doesn't seem that effective
against botnets, when they only do one attempt per IP.
Yeah, distributed BFDs are tough to block unless you can characterize
the clients well.
That leaves us back to getting dovecot to log the tried
Hi,
Since upgrading our mail servers to Postfix/Dovecot, we've seen a rather large
increase in botnet brute force password attacks. I guess our old servers were
too slow to suit their needs.
Now, when they hit upon a valid user, it's easy to see what passwords they are
trying (we've enabled
On Thu, Aug 22, 2013 at 04:16:51PM +, Michael Smith (DF) wrote:
Or another option, is there any good DNS based RBLs for botnet IPs,
and is there any way to tie that in to the dovecot auth system?
I've been looking for botnet rbls, but what I've found so far
doesn't seem to work very
Have you or anyone else tried fail2ban?
I haven't had any break-in attempts since going to Dovecot yet, But with
qpopper it didn't work very well unless it hit an actual user on the server.
Then it would block the IP for a predetermined set amount of hits on
that username then it block for the
Michael Smith (DF) writes:
Or another option, is there any good DNS based RBLs for botnet IPs, and
is there any way to tie that in to the dovecot auth system? I've been
looking for botnet rbls, but what I've found so far doesn't seem to
work very well. Most of the IPs that I've had to firewall
17 matches
Mail list logo