I have port 143 open so that I can get my mail when away from home. Occasionally, though, my router reports things like Thu, 2008-03-27 02:00:11 - TCP Packet - Source:200.122.134.9,3821 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 05:39:49 - TCP Packet - Source:140.127.181.141,3461 Destination:88.97.17.41,143 - [IMAP rule match] Thu, 2008-03-27 16:10:03 - TCP Packet - Source:80.88.161.125,2352 Destination:88.97.17.41,143 - [IMAP rule match] Looking at those addresses in whois, I don't see any good reason for these, and I'm concerned in case they are relays. Advice? Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20080328/88331329/attachment-0001.sig>
Anne Wilson wrote on Fri, 28 Mar 2008 09:23:30 +0000:> Looking at those addresses in whois, I don't see any good reason for these,I don't know what [IMAP rule match] means, haven't ever seen this. But it should be clear that if you have well-known ports open to the world that these attract brute-force attacks and such. That's how it is.> and I'm concerned in case they are relays.I'm not sure what you mean by that? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Anne Wilson wrote:> I have port 143 open so that I can get my mail when away from home. > Occasionally, though, my router reports things like > > Thu, 2008-03-27 02:00:11 - TCP Packet - Source:200.122.134.9,3821 > Destination:88.97.17.41,143 - [IMAP rule match] > Thu, 2008-03-27 05:39:49 - TCP Packet - Source:140.127.181.141,3461 > Destination:88.97.17.41,143 - [IMAP rule match] > Thu, 2008-03-27 16:10:03 - TCP Packet - Source:80.88.161.125,2352 > Destination:88.97.17.41,143 - [IMAP rule match] >If you open ports, you will see folks scanning them - it's inevitable. A public mail server will attract interest from those wishing to exploit it.> Looking at those addresses in whois, I don't see any good reason for these, > and I'm concerned in case they are relays. Advice? >Those looking for relays would be more interested in the smtp port 25. The IMAP port is the port you connect to to receive your mail. As long as your imap server (dovecot, courier-imap) is fully patched and presumably secure then you should be OK. Advice - one potential weakness is that by default your username and password is likely being sent in plain text (not a good idea!). Someone could potentially intercept your username and password and access/use your email account. If that username/password is also your system account then potentially that could be compromised too. There are a number of things you can do to harden your security. You could set up an additional user account with nologin for email so if the username/password does get compromised it's limited to purely email. You could run imap services on a non-standard port (security through obscurity), or firewall the connection to only allow trusted IP addresses (works if you always conect from known trusted IP addresses). None of these solutions are perfect, so probably the best method is to encrypt the connection using SSl. See howto here (for postfix/dovecot): http://wiki.centos.org/HowTos/postfix_sasl Hope that helps, Ned
On Fri, Mar 28, 2008, Anne Wilson wrote:>I have port 143 open so that I can get my mail when away from home. >Occasionally, though, my router reports things likeYou should be using secure IMAP on port 933, not port 143 where everything is sent in clear text. I don't know about other IMAP servers, but courier-imap handles this by default. Most current e-mail clients allow one to set this up easily, either directly or using TLS to request a secure connection on an initial connection to port 143. This doesn't keep people from trying dictionary attacks via imaps, but it does prevent them from sniffing the connections. Of course you are using good passwords n'est pas? Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 Intellectually, teachers fall between education theorists and bright cocker spaniels. (Probably closer to the education theorists. The AKC has been doing wonders with spaniels.) If you think I'm kidding look at the GREs for education majors, whose scores are the lowest of all fields, and remember that these are the smart ones. -- http://www.FredOnEverything.net