[
https://issues.apache.org/jira/browse/JAMES-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15249359#comment-15249359
]
Bernd Waibel commented on JAMES-1723:
-------------------------------------
Using Linux there is a paket "fail2ban" which is worth to look at. It is using
iptables.
I am using it, but I do not currently use it for james, that means: I do not
have a fail2ban rule for AUTH logins.
http://www.fail2ban.org/wiki/index.php/Main_Page
For using fail2ban, you need to have the IP adress in the log file, which is
not the case in James 2.3.2
> Add protection from password bruteforcing
> -----------------------------------------
>
> Key: JAMES-1723
> URL: https://issues.apache.org/jira/browse/JAMES-1723
> Project: James Server
> Issue Type: New Feature
> Affects Versions: Trunk, 3.0-beta4, 3.0.0-beta5
> Reporter: Alexei Osipov
>
> Right now James has no mechanisms of protection against password forcing.
> For example, it's possible to connect to James via SMTP and execute AUTH
> command as many times as needed to guess user's password.
> Common practices that may be used by James:
> 1) Force disconnect after few unsuccessful AUTH requests.
> 2) Count failed AUTH requests by IP address and reject connections from that
> IP if number of failures reached some threshold.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
