Re: [courier-users] How to track failed authentication attempts?
Brought to you by:
mrsam
From: Alessandro V. <ve...@ta...> - 2011-02-25 10:22:35
|
On 24/Feb/11 22:23, Carlos Lopez wrote: >> The Kernel lacks support of "Deep Packet Inspection"... With DPI >> you can do all dirty tricks to leave crackers out of the box/net. > > It is true that the main kernel does not support it, but there are > many commercial vendors that are open sourcing their products in a > way to be on the Open Source arena, read this article from the > internet: > > http://www.linux.com/news/enterprise/networking/44079-deep-packet-inspection-engine-goes-open-source Maybe I'm missing something, but it seems to me that 1. The Linux kernel, via iptables, supports inspecting _any_ value in a filtered packet. If tougher inspection is required, the packet can be passed to a userspace daemon using netfilter (which OpenDPI apparently can also do.) 2. OpenDPI software is involved in classifying protocols and applications, which is not much relevant for SMTP/IMAP/POP authentication, as we know both the protocol and the application already. 3. After TLS handshake, OpenDPI filters are not able to know the details of the communication. (In principle, knowing the server's key and having traced the handshake, it should be possible to decrypt packets content. The closed-source version "ipoque" is claimed to be "able to detect encrypted or obfuscated protocols as well", and this may be what they mean.) 4. Still, failed authentication attempts from crackers look exactly like legitimate ones, except for their amount. Tracking them correctly implies knowledge of the users database (in addition to the server's keys), hence it is much much harder to do it using an external tool. -- |