Firewall, blocking POP3
derek at computinginnovations.com
Sun Jun 3 20:58:00 UTC 2012
At 07:18 PM 5/30/2012, Robert Bonomi wrote:
> > From jbiquez at intranet.com.mx Wed May 30 13:48:05 2012
> > Date: Wed, 30 May 2012 13:47:34 -0500
> > To: Robert Bonomi <bonomi at mail.r-bonomi.com>
> > From: Jorge Biquez <jbiquez at intranet.com.mx>
> > Subject: Re: Firewall, blocking POP3
> > Cc: freebsd-questions at freebsd.org
> > Hello.
> > Thanks a lot!. Simple an elegant solution.
> > I just did that and of course it worked.... I just was wondering...
> > what if I need to have the service working BUT want to block those
> > break attemps? IN this and other services. ?
> > My guess is that it is a never ending process? I mean, block one,
> > block another, another, etc?
>If one knows the address-blocks that legitimate customers will be using,
>one can block off access from 'everywhere else'.
> > What the people who has big servers running for hosting services are
> > doing? Or you just have a policy of strng passworrds, server
> > up-todate and let the attemps to try forever?
>There are tools like 'fail2ban' that can be used to lock out persistant
>Also, one can do things like allow mail access (POP, IMAP, 'whatever')
>only via a port that is 'tunneled' through an SSH/SSL connection.
>This eliminates almost all doorknob rattling on the mail access ports,
>but gets lots of attempts on the SSH port. Which is generally not a
>problem, since the SSH keyspace is vastly larger, and more evenly
>distributed, than that for plaintext passwords.
>To eliminate virtually all the 'noise' from SSH doorknob-rattling, run
>it on a non-standard port. This does =not= increase the actual security
>of the system, but it does greatly reduce the 'noise' in the logs -- so
>any actual attack attempt is much more obvious.
You can use /etc/hosts.allow to list your "friendly" IP's allowed by
protocol. This provides an easy way to block all foreign users. You can
use wildcards in this file, so if you need to allow users in for POP access
from an ISP, you can do that.
Also, if you do have wide array of addresses you need to let in, you may
want to put the email services in a jail.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the freebsd-questions