Hi Dan,
> > Micheal Stauber's Security Package does have POP3/IMAP 'recent'-based
> > protection.
> > And it works, pretty well. :)
>
> News to me, his website says that he only protects FTP,SSH & Telnet
> using recent module!? [1]
Yes, in version 4.2.4 of my Security Package for BlueQuartz I have extended
the FTP, SSH and Telnet monitoring capability to also monitor the POP3 and
IMAP ports. I haven't update the product webpage yet, though.
It also uses the iptables recent module, but with different settings than for
SSH, FTP and Telnet. Generally I give it a bit more leeway in regards to the
allowed number of connections in a given time frame than for SSH and FTP.
> It would be nice though if someone could tell me
> this really is possible. So far I think Chris Hemsing has summed up
> best why this is not possible in post coba-e:09210.
Yes, the "one size fits all" approach certainly doesn't work too well here.
There are cases where the default settings that I use for monitoring POP3 and
IMAP will not work for you. Like in that particular case that Chris used as
example in coba-e:09210.
But when you got such a "power user" that really needs 50-100 POP3 or IMAP
connections from the same source IP in very short periods, then you can
always just whitelist that IP and therefore exclude it from monitoring.
So when you attempt something like this, make sure your rules for whitelisted
IP addresses or address ranges is handled before your recent rules kick in.
--
With best regards,
Michael Stauber
http://www.solarspeed.net