CheckAuthLog FAQ: Difference between revisions

From voipsupport
Jump to navigation Jump to search
No edit summary
Line 14: Line 14:


====Define and enforce a strong password policy====
====Define and enforce a strong password policy====
Depending on the software being used, you may be able to set up and enforce policies about the length and characters to be used in a password and about how frequently it must be changed.
====Have a safe method for password recovery====
Avoid methods which contain easily to guess questions that provide access to the account or that communicate new credentials via an insecure method to unverifiable users.


====Only use encrypted connections====
====Only use encrypted connections====


As a first defence it is recommended that all connections for reading and sending email are authenticated across a strongly encrypted connection. That drastically reduces the risk of the password being stolen.
It is recommended that all connections for reading and sending email are authenticated across a strongly encrypted connection. That drastically reduces the risk of the password being read by a third party while it is in transit on the network.


====Set up rate limiting in the MTA====
====Set up rate limiting in the MTA====

Revision as of 18:02, 13 June 2016

Q. What are the prerequisites for CheckAuthLog?

PHP version 5 with DBA and mysql extensions.

The use of the mysql extension means that it will not work with the upcoming PHP 7 release until the code has been migrated to mysqli.

Q. What other things can I do to improve security?

Use Fail2ban

While CheckAuthLog is useful to detect strange patterns of email sending that could indicate stolen email credentials being used to send spam, one way of helping to avoid stolen email credentials is to slow down and block dictionary attacks on passwords.

Fail2ban parses log files and can be configured to block internet traffic from ip addresses that have made more than a configurable number of authentication errors.

Define and enforce a strong password policy

Depending on the software being used, you may be able to set up and enforce policies about the length and characters to be used in a password and about how frequently it must be changed.

Have a safe method for password recovery

Avoid methods which contain easily to guess questions that provide access to the account or that communicate new credentials via an insecure method to unverifiable users.

Only use encrypted connections

It is recommended that all connections for reading and sending email are authenticated across a strongly encrypted connection. That drastically reduces the risk of the password being read by a third party while it is in transit on the network.

Set up rate limiting in the MTA

In order to avoid hackers/spammers getting round the login limit by sending excess multiple messages within a single smtp connection, it is worthwhile setting up rate limits (for example smtpd_client_message_rate_limit parameter on postfix) to a value which will not interfere with normal mail sending, but that will stop a hacker/spammer sending infinite messages with one smtp connection.

Q. When reporting a problem what information should I provide?

Please see here