[Dovecot] Lots of pop3-logins
Rodman Frowert
rodman at thefrowerts.com
Thu Jun 25 22:33:16 EEST 2009
Well, after going through my log files, I was hit with a dictionary based
attack. My maillog is full of about 20,000 lines of crap like this:
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<warren>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<williams>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<www>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<wilson>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<willy>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<valerie>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Starts with "A" and runs all the way to "Z". The IP traces back to cable
modem subscriber on Cox Communications out of Arizona. I'll shoot them off
my "standard" attack e-mail.
In the meantime, I need to modify fail2ban so that it checks the maillog for
failed pop3 auth logins and bans IP's so this won't happen again.
Rodman
----- Original Message -----
From: "V S Rao" <viriyala at yahoo.com>
To: <dovecot at dovecot.org>
Sent: Thursday, June 25, 2009 1:15 PM
Subject: Re: [Dovecot] Lots of pop3-logins
>
>> > Doing a "ps aux" on my Slackware box, I have approx 100 PID's of
>> > "pop3-login's going on. This is a production mail server, but it is
>> > getting VERY low traffic. In fact, only 3 people can "pop3" into it.
>> > I've check their e-mail clients, and they are not checking mail any
>> > more often than every 5 minutes.
>> >
>> > This is a new installation and I've had the server up and running since
>> > Sunday. If it matters, I'm using Postfix for the MTA and using the
>> > Dovecot SASL library to AUTH SMTP.
>> >
>> > Is this a cause for concern? Why does Dovecot need this many
>> > processes?
>> >
>>
>> >> Because dovecot preforks the *-login processes to speed-up the login.
>>
>> >> No need to worry.
>>
>> 100 login sessions for just 3 connections? That is not right, no matter
>> what.
>
>>> No, login_processes_count matters.
>
> How? If my understanding is correct, you have extra 3 login processes
> created to cater to new connections. So with only 3 POP3 users, why should
> so many login processes be spawned? I can understand 10-15. But 100
> definitely indicates either the processes are not dying or something else
> happening on the system which is causing such high number of login
> processes. The system definitely needs to be checked for some kind of
> attack, a rogue process running on the system or something else.
>
> Regards
> --Rao
>
More information about the dovecot
mailing list