Encryption and Authentication
I run logwatch on the machine which hosts my mail, websites, IRC client etc. I was annoyed recently to see a machine in Taiwan trying to guess a valid mail username and password on my server in an attempt to relay mail through it. I wasn't particularly worried, since all my mail user passwords are randomly generated and very hard to guess, but it was pretty annoying.
While investigating solutions to this, I noticed that it was possible to authenticate (i.e. give a username and password, which then lets you relay mail through my server, rather than just deliver mail to its users), without encryption (a layer of magic which stops people eavesdropping on your connection). Now, this isn't particularly a problem because (1) I was using encryption anyway and, (2) even if I hadn't been, the authentication method I was using doesn't require either side to actually reveal the password, so it couldn't be used by an eavesdropper.
On the other hand, it was still potentially allowing my mail to be read by anybody it passed by (such as the people running a wireless network in a cafe or hotel), which is pretty bad form - had I misconfigured my mail client, which I hadn't. So I felt this was a loophole which needed closing, and the mail server docs told me how.
I notice that the brute-force attacks I had originally spotted didn't use encryption - there's no reason why they couldn't, other than that setting up encrypted connections costs you time and computational effort, which may be an issue if you're trying to attack a large number of random mail servers. Still, I have a feeling that I won't see them again, which makes me happy - one fewer thing to distract me from real problems in my logs.
(FWIW, before someone says it, I don't really like the idea of using stuff like fail2ban to firewall away dictionary attacks; the whole idea of tailing logfiles seems inelegant, and I'm confident enough in the strength of my passwords - my system's SSH passwords in particular use pam_cracklib to make sure they can't be weak.)
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
diffrentcolours) wrote,
