Firewall, blocking POP3
bonomi at mail.r-bonomi.com
Thu May 31 00:18:02 UTC 2012
> From jbiquez at intranet.com.mx Wed May 30 13:48:05 2012
> Date: Wed, 30 May 2012 13:47:34 -0500
> To: Robert Bonomi <bonomi at mail.r-bonomi.com>
> From: Jorge Biquez <jbiquez at intranet.com.mx>
> Subject: Re: Firewall, blocking POP3
> Cc: freebsd-questions at freebsd.org
> Thanks a lot!. Simple an elegant solution.
> I just did that and of course it worked.... I just was wondering...
> what if I need to have the service working BUT want to block those
> break attemps? IN this and other services. ?
> My guess is that it is a never ending process? I mean, block one,
> block another, another, etc?
If one knows the address-blocks that legitimate customers will be using,
one can block off access from 'everywhere else'.
> What the people who has big servers running for hosting services are
> doing? Or you just have a policy of strng passworrds, server
> up-todate and let the attemps to try forever?
There are tools like 'fail2ban' that can be used to lock out persistant
Also, one can do things like allow mail access (POP, IMAP, 'whatever')
only via a port that is 'tunneled' through an SSH/SSL connection.
This eliminates almost all doorknob rattling on the mail access ports,
but gets lots of attempts on the SSH port. Which is generally not a
problem, since the SSH keyspace is vastly larger, and more evenly
distributed, than that for plaintext passwords.
To eliminate virtually all the 'noise' from SSH doorknob-rattling, run
it on a non-standard port. This does =not= increase the actual security
of the system, but it does greatly reduce the 'noise' in the logs -- so
any actual attack attempt is much more obvious.
More information about the freebsd-questions