[Dovecot] Dovecot under brute force attack - nice attacker
henry ritzlmayr
dovecot at rc0.at
Thu Jun 4 20:02:47 EEST 2009
Am Donnerstag, den 04.06.2009, 09:51 -0700 schrieb Mark Sapiro:
> On Thu, Jun 04, 2009 at 12:16:00PM +0200, henry ritzlmayr wrote:
> >
> > The problem:
> > If the attacker wouldn't have closed and reopened the connection
> > no log would have been generated and he/she would have endless
> > tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
> >
> > How to reproduce:
> > telnet dovecot-server pop3
> > user test
> > pass test1
> > user test
> > pass test2
> > ...
> > QUIT
> > ->Only the last try gets logged.
>
>
> I see the same thing with Dovecot 1.2.rc4 on CentOS 5, but pam logs every
> failed attempt:
>
> Jun 4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
> Jun 4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=zzz rhost=127.0.0.1
> Jun 4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
> Jun 4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mmm rhost=127.0.0.1
>
> So, fail2ban will block based on the pam log.
>
Good to know. We have ldap here, but it certainly would be possible
to do the authentication through pam->ldap.
thanks
Henry
More information about the dovecot
mailing list