[2664] in bugtraq
Re: Not so much a bug as a warning of new brute force attack
daemon@ATHENA.MIT.EDU (Stefan Hudson)
Mon Jun 3 15:39:51 1996
Date: Mon, 3 Jun 1996 09:49:34 -0700
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Stefan Hudson <hudson@mbay.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.SOL.3.93.960601104727.687A-100000@dazed.nol.net> from
"Brett L. Hawn" at Jun 1, 96 10:52:28 am
> Using the pop3 mechanism to crack user passwords
>
> Given a file full of usernames and the standard 'dict file' one can
> currently connect to the pop3 daemon and effiecently try passwords for a
> user until the proper one is gotten or one runs out of passwords without any
> noticeable effects on the server. I've tested this method myself using
> several accounts and lots of random crap between valid passwords. A 3
> account userfile with a 20k dictfile took appx 2 minutes to generare the
> passwords for all 3 accounts.
>
> Solution:
>
> Implement random delay times, logging, and disconnection within the pop3
> daemom
qpopper, the POP server from Qualcom (makers of Eudora for PeeCees) does
a 10 second delay and disconnects on a bad password. It also logs EVERYTHING
to a file and is very configurable. We've been using it for a few months
now, and it's worked very well. See ftp.qualcomm.com:/quest/unix/servers.
--
/// Stefan Hudson <hudson@mbay.net>
__ /// Senior Network Administrator - Monterey Bay Internet
\\\/// http://www.mbay.net/ - Email: info@mbay.net
\XX/ Voice: 408-642-6100 Fax: 408-642-6101 Modem: 408-642-6102
