Agreeed, with ldap i can protect accounts against someone knowing the account name (or correctly guessing it). Doing so I risk a DoS. With fail2ban i can prevent someone from "random" login attempts - most don't even know the user name. Moreover, when an ldap account is blocked, what prevents the attacker to go on and try the next account? Greez, Arnd
Am Donnerstag, 07. Februar 2013 19:05 CET, Jean Raby <[email protected]> schrieb: > On 13-02-07 11:43 AM, Ben wrote: > > Slightly off topic, but an alternative to fail2ban is, I believe, > > password policy overlay for ldap (if using ldap for auth). I allows a > > limit on max login attempts within a set time period among other > > features This sas the advantage of locking the account at the source so > > it works on sogo, imap, smtp tls, etc, et > > It depends on your needs I guess. > With fail2ban you block the ip or do some arbitrary processing with the > ip, with password policy you lock the account (which can mean that > anyone can lock any account - DoS). > > > -- > Jean Raby > [email protected] :: +1.514.447.4918 (x120) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > -- > [email protected] > https://inverse.ca/sogo/lists -- [email protected] https://inverse.ca/sogo/lists
