[Dovecot] Under POP attack - now to prevent?
henry ritzlmayr
dovecot at rc0.at
Fri Jun 5 09:07:24 EEST 2009
Am Freitag, den 05.06.2009, 12:04 +1000 schrieb James Brown:
> Looks like we are under a dictionary login attack on our POP server:
>
> Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
> failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
> lip=192.168.1.9
Since the attacker is playing nice you could also limit the maximum
connection attempts to the pop3 port in a given timeframe. And if that
limit is reached block the ip for a certain amount of time.
If you firewall with netfilter, hashlimit is your friend.
Interesting for me is that you are on v1.2RC4. Timo wrote yersterday
that with v1.2+ after every login failure the delay for the next attempt
should grow. When I take a look at your timestamps this is obviously not
working on your system.
Henry
More information about the dovecot
mailing list