[Dovecot] Under POP attack - now to prevent?

James Brown jlbrown at bordo.com.au
Fri Jun 5 05:04:11 EEST 2009


Looks like we are under a dictionary login attack on our POP server:

Jun  5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9
Jun  5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9
Jun  5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9
Jun  5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9
Jun  5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9
Jun  5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9
Jun  5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9
Jun  5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9
Jun  5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9
Jun  5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth  
failed, 1 attempts): user=<atlanta>, method=PLAIN, rip=85.189.169.94,  
lip=192.168.1.9

Any suggestions on how to prevent this?

Using Dovecot 1.2RC4

Thanks,

James.


More information about the dovecot mailing list