similar to: how to block brute force attacks on reverse tunnels?

For many years I've been running ssh reverse tunnels on portable Linux, OpenWRT, Android etc. hosts so they can be accessed from a server whose IP is stable (I call such a server a "nexus host"). Increasingly there's a problem with brute force attacks on the nexus host's tunnel ports. The attack is forwarded to the portable tunneling host, where it fails, but it chews up

https://bugzilla.samba.org/show_bug.cgi?id=6695 Summary: whitespace problem in directory paths; I know of no work-around Product: rsync Version: 3.0.6 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P3 Component: core AssignedTo: wayned at samba.org

In https://wiki.dovecot.org/Migration/Courier , mail_location = maildir:~/Maildir namespace { prefix = INBOX. separator = . inbox = yes } ... is wrong. Apparently it should be ... mail_location = maildir:~/INBOX ...which at least seemed to work, although (by that time?) I wound up re-downloading all mail. Steve Newcomb srn at coolheads.com (Unable to edit the wiki page...

Hi Jochen, On Wed, 12 Feb 2020 at 00:16, Jochen Bern <Jochen.Bern at binect.de> wrote: > > On 02/11/2020 07:07 PM, Cl?ment P?ron wrote: > > - I have X devices (around 30) and one SSH server > > - Each of them have a unique public key and create one dynamic reverse > > port forwarding on the server > > - All of them connect with the same UNIX user (I don't

Why do attacks from the Internet get shown in the Asterisk logs with myAsteriskServerIP instead of the attacker's IP?! Really useful for blocking them, that is... Example: [Mar 6 00:00:00] NOTICE[1926] chan_sip.c: Failed to authenticate user 5550000<sip:5550000 at myAsteriskServerIP>;tag=ab8537ae (I replaced our IP address with myAsteriskServerIP. The attacks are not coming from

Hello everyone, I work in a setting where remote logins are usually authenticated with SSH user keypairs, but many target accounts need to have a password set nonetheless (to use with sudo, log in via remote KVM, etc.) and cannot be put under a central user administration like LDAP. Enter a corporate password policy that requires passwords to be complex, different everywhere, and of limited

On 05/16/2018 06:07 AM, Aki Tuomi wrote: >> On 15 May 2018 at 22:43 Gandalf Corvotempesta <gandalf.corvotempesta at gmail.com> wrote: >> Is possible to implement and end-to-end encryption with dovecot, where >> server-side there is no private key to decrypt messages? > > You could probably automate this with sieve and e.g. GnuPG, which would mean > that all your

On Fri, 2019-02-15 at 15:57 +1100, Darren Tucker wrote: > That was the original intent (and it's mentioned in RFC4419) however > each moduli file we ship (70-80 instances of 6 sizes) takes about 1 > cpu-month to generate on a lowish-power x86-64 machine. Most of it > is > parallelizable, but even then it'd likely take a few hours to > generate > one of each size. I

Hi, On Mon, Jan 13, 2020 at 03:16:00PM +0000, Jochen Bern wrote: > Out of interest: > 1. If an extended mechanism were to be implemented, which server pubkey > do you expect to be seen/stored/verified by the client? The proxy's > / v4 middlebox's, or the v6 backend's? Or would you require that all > server-side machines use the *same* host keypairs? I'd do

Hello, I have asked on the postfix mailing list for a solution, how to encrypt incoming emails with public gpg key My original idea was to use a smtpd-milter, which would encrypt all incoming plaintext messages of given user, using the users public gpg key. This way, it would look as if the original sender has sent the message encrypted. Somebody suggested this might be better done in Dovecot,

Hello everyone, my workplace has gotten the idea of centrally maintaining a file in ssh_config syntax so that employees do not need to discover every new machine and configure it on their own. Since it's a case of "let's get started now, and properly think it through later", right now, a typical entry might look like > Host [product]-[Customer] > Hostname

On 12/15/2018 12:34 AM, @lbutlr wrote: > On 14 Dec 2018, at 16:30, @lbutlr <kremels at kreme.com> wrote: >> Is it possible to override the POP3 delete on download command and make >> sure that messages stay on the server for at least X hours or X days? >> It is important that the messages be around long enough to hit a snapshot >> cycle (using rsnapshot to backup

Hello, I hope it's the correct ML to get support for "advanced" ssh use (sorry if it's not the case) And I would be very grateful if someone could help me on this issue. Here is my challenge : - I have X devices (around 30) and one SSH server - Each of them have a unique public key and create one dynamic reverse port forwarding on the server - All of them connect with the

Hi folks, Since Docker can bind-mount every .ssh directory I am looking for some way to forbid unprotected private keys. AFAICS it is currently not possible on the sshd to verify that the peer's private key was protected by a passphrase. Can you confirm? Regards Harri

On 05.07.23 18:01, MCMANUS, MICHAEL P wrote: > It appears the forced command either does not run or runs to completion > and exits immediately, as there is no process named "receive.ksh" in > the process tree. FWIW, two cents of mine: -- The script *exiting* should *not* prompt sshd to execute the requested subsystem "as a second thought", or else it'd happen

On Mon, 20 Feb 2023 at 20:03, Jochen Bern <Jochen.Bern at binect.de> wrote: > A quick question, if I may: Today, I heard a rumour that "ssh" can be > used as a TOTP *token* (i.e., accept or generate a secret for a > configuration and generate TOTP codes from there on out, to be entered > into some *other* software requesting them for 2FA). I'm not aware of any way

On Thu, 17 Nov 2016 14:11:45 +0100 Jochen Bern <Jochen.Bern at binect.de> wrote: > On 11/17/2016 08:48 AM, Steve Litt wrote: > > When I use an email client, its purpose is as a window into my > > Dovecot IMAP, and as a mechanism to reply to and send emails. I > > don't do filtering or calendaring on my email client (filtering via > > procmail direct to

As far as I can tell, there currently isn't a straightforward way to use password authentication for connecting to hosts where the host key changes frequently. I realize this is a fairly niche use case, but when developing software for devices that often get reimaged (resulting in a host key change), it can get pretty tedious to attempt to connect, get a warning, remove the old host key via

Hello, given a small organization. There are *personal* mailboxes (mailbox per user, incl. subfolders et cetera). The users can share specic folders via the ACL (we call it "other users/", Dovecot calls it "shared" folder. Additionally there are mailboxes Dovecot calls "public" (we use the term "groups/"). They are not associated with a specific account,

A quick question, if I may: Today, I heard a rumour that "ssh" can be used as a TOTP *token* (i.e., accept or generate a secret for a configuration and generate TOTP codes from there on out, to be entered into some *other* software requesting them for 2FA). All I could find on the web so far are how-tos to a) make ssh*d* request and verify TOTP codes (usually with the help of PAM)