[Dovecot] Dovecot under brute force attack - nice attacker

henry ritzlmayr dovecot at rc0.at
Thu Jun 4 13:16:00 EEST 2009


Hi List, 

optimizing the configuration on one of our servers (which was
hit by a brute force attack on dovecot) showed an odd behavior. 

Dovecot Version 1.0.7 (CentOS 5.2)

The short story:
On one of our servers an attacker did a brute force 
attack on dovecot (pop3). 
Since the attacker closed and reopened the connection 
after every user/password combination the logs showed 
many lines like this:
dovecot: pop3-login: Aborted login: user=<test>,......

The problem:
If the attacker wouldn't have closed and reopened the connection
no log would have been generated and he/she would have endless 
tries. Not even an iptables/hashlimit or fail2ban would have kicked in.

How to reproduce:
telnet dovecot-server pop3
user test
pass test1
user test
pass test2
...
QUIT
->Only the last try gets logged.

If I enable auth_verbose every attempt gets logged, but if I read the
docs correctly this option should only be used for figuring out why
authentication isn't working.

Question: 
Is there any way to close the connection after the 
first wrong user/pass combination. So an attacker would be forced 
to reopen it?
This would be perfect since an easy iptables/hashlimit would avoid 
such a brute force attack. 

Any other Ideas?
Henry



More information about the dovecot mailing list