[Dovecot] Under POP attack - now to prevent?
James Brown
jlbrown at bordo.com.au
Fri Jun 5 05:04:11 EEST 2009
Looks like we are under a dictionary login attack on our POP server:
Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<atlanta>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Any suggestions on how to prevent this?
Using Dovecot 1.2RC4
Thanks,
James.
More information about the dovecot
mailing list