Re: [Exim] smtp auth and brute force attacks

On Thu, 3 Oct 2002, Philip Hazel wrote:

> I've noted the problem. Probably putting in some delay AND a total count

but how do you keep a total count ? (i'm referring to exim being
decentralized and the like). and for what timeframe ?

> is the best approach. Just dropping the connection after AUTH doesn't
> really help all that much - the bad guy just makes a new connection.
>
> Or maybe always return FAIL after 5 tries?

in the same connection only, or all subsequent connections as well ?
first makes no sense imho (because of what you mentioned already), the
second one is a big `shoot here' sign for dos attacks.

i'd hazard a guess that this issue is best solved outside exim -
whoever needs such protection, should use some external auth source
(like pam, sql lookups, ldap lookups or whatever), and this logic
should be implemented there, always tailored for one's own
preferences.


--
(void)