Date:  Sun, 25 Mar 2007 19:21:43 +0100
From:  Dogsbody <dan (at mark) dogsbody.org>
Subject:  [coba-e:09274] Re: dictionary attack
To:  coba-e (at mark) bluequartz.org
Message-Id:  <4606BDB7.4040609 (at mark) dogsbody.org>
In-Reply-To:  <200703241225.20488.bq (at mark) solarspeed.net>
References:  <027e01c76c72$9bd75300$3701a8c0 (at mark) lapxp> <46027D2A.8030208 (at mark) dogsbody.org> <200703241225.20488.bq (at mark) solarspeed.net>
X-Mail-Count: 09274


> Yes, in version 4.2.4 of my Security Package for BlueQuartz I have extended 
> the FTP, SSH and Telnet monitoring capability to also monitor the POP3 and 
> IMAP ports. I haven't update the product webpage yet, though.
> 
> It also uses the iptables recent module, but with different settings than for 
> SSH, FTP and Telnet. Generally I give it a bit more leeway in regards to the 
> allowed number of connections in a given time frame than for SSH and FTP.

Brilliant, thank you Micheal for confirming this is possible. :-)

> Yes, the "one size fits all" approach certainly doesn't work too well here. 
> There are cases where the default settings that I use for monitoring POP3 and 
> IMAP will not work for you. Like in that particular case that Chris used as 
> example in coba-e:09210. 

Well, I'm going to start off with my limit at the 12th new connection to 
IMAP/IMAPS/POP3/POP3S in 60 seconds results in a 15 min ban. We'll see how this 
goes :-)

> But when you got such a "power user" that really needs 50-100 POP3 or IMAP 
> connections from the same source IP in very short periods, then you can 
> always just whitelist that IP and therefore exclude it from monitoring.
> 
> So when you attempt something like this, make sure your rules for whitelisted 
> IP addresses or address ranges is handled before your recent rules kick in.

Good point, thank you

Dan