Re: cyrus sasl Password lock after n failed attempts
On Fri, Oct 12, 2012 at 04:54:12PM +1030, Daniel O'Connor wrote: > > On 12/10/2012, at 15:21, Ram wrote: > > Of late I have seen lots of attempts at getting in weak weak > > passwords. Is there a way I can implement password lock out within > > cyrus if there are more than n consecutive bad attempts > > I think a feature like this is likely to result in a denial of service > to yourself :) > > I use sshguard which can parse many different program's outputs (not > just SSH) for failed login attempts and then add a rule to a firewall > to block the IP making the attempts. > > It has support for many different firewall types - I use PF but it > does ipfw, ip tables, etc etc.. > > It is probably available as a package for your OS/distro or you can > get it from http://www.sshguard.net/ There is also fail2ban (python based) which is working well for me. It just depends on which tool you like best. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus sasl Password lock after n failed attempts
On 12/10/2012, at 15:21, Ram wrote: > Off late I have seen lots of attempts at getting in weak weak passwords. > Is there a way I can implement password lock out within cyrus if there > are more than n consecutive bad attempts I think a feature like this is likely to result in a denial of service to yourself :) I use sshguard which can parse many different program's outputs (not just SSH) for failed login attempts and then add a rule to a firewall to block the IP making the attempts. It has support for many different firewall types - I use PF but it does ipfw, ip tables, etc etc.. It is probably available as a package for your OS/distro or you can get it from http://www.sshguard.net/ -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus sasl Password lock after n failed attempts
On 10/12/12 10:21 +0530, Ram wrote: >Hi >I am using cyrus saslauthd with pam_ldap for authentication. > >Off late I have seen lots of attempts at getting in weak weak passwords. >Is there a way I can implement password lock out within cyrus if there >are more than n consecutive bad attempts I am not aware of a sasl specific way to lock out accounts automatically. If your ldap server is OpenLDAP, see slapo-ppolicy(5). Other approaches include logcheck, pam_tally, and (linux specific): http://www.debian-administration.org/articles/187 -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
cyrus sasl Password lock after n failed attempts
Hi I am using cyrus saslauthd with pam_ldap for authentication. Off late I have seen lots of attempts at getting in weak weak passwords. Is there a way I can implement password lock out within cyrus if there are more than n consecutive bad attempts Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
