Re: Not so much a bug as a warning of new brute force attack

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Richard Ashton: "Re: Not so much a bug as a warning of new brute force attack"
• Previous message: Allen Wheelwright: "Re: [linux-security] Things NOT to put in root's crontab"
• In reply to: Brett L. Hawn: "Not so much a bug as a warning of new brute force attack"
• Next in thread: Richard Ashton: "Re: Not so much a bug as a warning of new brute force attack"

On Sat, 1 Jun 1996, Brett L. Hawn wrote:

> Given a file full of usernames and the standard 'dict file' one can
> currently connect to the pop3 daemon and effiecently try passwords for a
> user until the proper one is gotten or one runs out of passwords without any
> noticeable effects on the server. I've tested this method myself using

Which pop3 server are you using ?

The U of Washington POP/IMAP package has a timer in it, and disconnects
after 3 failures.

It does not, however, check for a valid log-in shell (that the user's
shell exists in /etc/shells). Since I use an invalid shell to disable
accounts, I made a small patch to enable this feature.

-Chris

==========================================================
Chris Candreva  -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

• Next message: Richard Ashton: "Re: Not so much a bug as a warning of new brute force attack"
• Previous message: Allen Wheelwright: "Re: [linux-security] Things NOT to put in root's crontab"
• In reply to: Brett L. Hawn: "Not so much a bug as a warning of new brute force attack"
• Next in thread: Richard Ashton: "Re: Not so much a bug as a warning of new brute force attack"