Date: Sun, 03 Jun 2012 15:57:48 -0500 From: Derek Ragona <derek@computinginnovations.com> To: Robert Bonomi <bonomi@mail.r-bonomi.com>, jbiquez@intranet.com.mx Cc: freebsd-questions@freebsd.org Subject: Re: Firewall, blocking POP3 Message-ID: <6.0.0.22.2.20120603155503.06097508@mail.computinginnovations.com> In-Reply-To: <201205310018.q4V0IBBL020440@mail.r-bonomi.com> References: <3421248490-1670043744@intranet.com.mx> <201205310018.q4V0IBBL020440@mail.r-bonomi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:18 PM 5/30/2012, Robert Bonomi wrote: > > From jbiquez@intranet.com.mx Wed May 30 13:48:05 2012 > > Date: Wed, 30 May 2012 13:47:34 -0500 > > To: Robert Bonomi <bonomi@mail.r-bonomi.com> > > From: Jorge Biquez <jbiquez@intranet.com.mx> > > Subject: Re: Firewall, blocking POP3 > > Cc: freebsd-questions@freebsd.org > > > > Hello. > > > > Thanks a lot!. Simple an elegant solution. > > > > I just did that and of course it worked.... I just was wondering... > > what if I need to have the service working BUT want to block those > > break attemps? IN this and other services. ? > > My guess is that it is a never ending process? I mean, block one, > > block another, another, etc? > >If one knows the address-blocks that legitimate customers will be using, >one can block off access from 'everywhere else'. > > > What the people who has big servers running for hosting services are > > doing? Or you just have a policy of strng passworrds, server > > up-todate and let the attemps to try forever? > >There are tools like 'fail2ban' that can be used to lock out persistant >doorknob-rattlers. > >Also, one can do things like allow mail access (POP, IMAP, 'whatever') >only via a port that is 'tunneled' through an SSH/SSL connection. > >This eliminates almost all doorknob rattling on the mail access ports, >but gets lots of attempts on the SSH port. Which is generally not a >problem, since the SSH keyspace is vastly larger, and more evenly >distributed, than that for plaintext passwords. > >To eliminate virtually all the 'noise' from SSH doorknob-rattling, run >it on a non-standard port. This does =not= increase the actual security >of the system, but it does greatly reduce the 'noise' in the logs -- so >any actual attack attempt is much more obvious. > You can use /etc/hosts.allow to list your "friendly" IP's allowed by protocol. This provides an easy way to block all foreign users. You can use wildcards in this file, so if you need to allow users in for POP access from an ISP, you can do that. Also, if you do have wide array of addresses you need to let in, you may want to put the email services in a jail. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20120603155503.06097508>