[Dovecot] Dovecot under brute force attack - nice attacker

Scott Silva ssilva at sgvwater.com
Thu Jun 4 20:24:48 EEST 2009


on 6-4-2009 3:48 AM Noel Butler spake the following:
> On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote:
> 
>> Hi List, 
>>
>> optimizing the configuration on one of our servers (which was
>> hit by a brute force attack on dovecot) showed an odd behavior. 
>>
>> Dovecot Version 1.0.7 (CentOS 5.2)
>>
>> The short story:
>> On one of our servers an attacker did a brute force 
>> attack on dovecot (pop3). 
>> Since the attacker closed and reopened the connection 
>> after every user/password combination the logs showed 
>> many lines like this:
>> dovecot: pop3-login: Aborted login: user=<test>,......
>>
>> The problem:
>> If the attacker wouldn't have closed and reopened the connection
>> no log would have been generated and he/she would have endless 
>> tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
>>
>> How to reproduce:
>> telnet dovecot-server pop3
>> user test
>> pass test1
>> user test
>> pass test2
>> ...
>> QUIT
>> ->Only the last try gets logged.
>>
> 
> 
> 
> Verified with 1.1.6 as well, nice catch Henry.
> 
> 
1.1.15 gives me one log entry, but lists the number of failed login attemps;

Jun  4 10:16:56 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<username>, method=PLAIN, rip=192.168.1.19, lip=192.168.0.1
Jun  4 10:18:10 mail dovecot: pop3-login: Aborted login (auth failed, 2
attempts): user=<username>, method=PLAIN, rip=192.168.1.19, lip=192.168.0.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20090604/65e31a6b/attachment.bin 


More information about the dovecot mailing list