On Aug 16, 2008, at 11:14 AM, Mark Sapiro wrote:
Exactly. These days, IP spoofing is most useful to hide the
identity of
the perpetrator of a DoS attack. It certainly is not applicable to a
dictionary attack on POP3 or other logins since with a spoofed
IP, the
perpetrator will never see the response to determine if the login
attempt was successful.
I stand corrected... sorry. I was thinking of an http cross-site
attack which also seems popular now-a-days.
So if I read you right then you would consider the IP address shown
in the original thread post..
dovecot: Aug 15 04:15:45 Error: auth-worker(default): pam(mike,
216.31.146.19): pam_authenticate() failed: User not known to the
underlying authentication module
dovecot: Aug 15 04:15:49 Error: auth-worker(default): pam(alan,
216.31.146.19): pam_authenticate() failed: User not known to the
underlying authentication module
dovecot: Aug 15 04:15:53 Error: auth-worker(default): pam(info,
216.31.146.19): pam_authenticate() failed: User not known to the
underlying authentication module
dovecot: Aug 15 04:15:57 Error: auth-worker(default): pam(shop,
216.31.146.19): pam_authenticate() failed: User not known to the
underlying authentication module
..216.31.146.19, to be a party to the attack and therefore a
candidate for locking out?
Yes. I do it (with my own script, not fail2ban, but it works the same
way).
Thank you for the clarification.
B. Bodger
