[Dovecot] Lots of pop3-logins
Timo Sirainen
tss at iki.fi
Thu Jun 25 22:46:04 EEST 2009
You can also just decrease login_process_max_count. If Dovecot reaches
the limit, it'll just start killing off old connections that haven't
logged in.
And yeah, some day I should also make Dovecot kill some of the login
processes after many of them have been idling for a while.
On Thu, 2009-06-25 at 14:33 -0500, Rodman Frowert wrote:
> Well, after going through my log files, I was hit with a dictionary based
> attack. My maillog is full of about 20,000 lines of crap like this:
>
> Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
> attempts): user=<warren>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
> attempts): user=<williams>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
> attempts): user=<www>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
> attempts): user=<wilson>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
> attempts): user=<willy>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
> attempts): user=<valerie>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
>
> Starts with "A" and runs all the way to "Z". The IP traces back to cable
> modem subscriber on Cox Communications out of Arizona. I'll shoot them off
> my "standard" attack e-mail.
>
> In the meantime, I need to modify fail2ban so that it checks the maillog for
> failed pop3 auth logins and bans IP's so this won't happen again.
>
> Rodman
>
> ----- Original Message -----
> From: "V S Rao" <viriyala at yahoo.com>
> To: <dovecot at dovecot.org>
> Sent: Thursday, June 25, 2009 1:15 PM
> Subject: Re: [Dovecot] Lots of pop3-logins
>
>
> >
> >> > Doing a "ps aux" on my Slackware box, I have approx 100 PID's of
> >> > "pop3-login's going on. This is a production mail server, but it is
> >> > getting VERY low traffic. In fact, only 3 people can "pop3" into it.
> >> > I've check their e-mail clients, and they are not checking mail any
> >> > more often than every 5 minutes.
> >> >
> >> > This is a new installation and I've had the server up and running since
> >> > Sunday. If it matters, I'm using Postfix for the MTA and using the
> >> > Dovecot SASL library to AUTH SMTP.
> >> >
> >> > Is this a cause for concern? Why does Dovecot need this many
> >> > processes?
> >> >
> >>
> >> >> Because dovecot preforks the *-login processes to speed-up the login.
> >>
> >> >> No need to worry.
> >>
> >> 100 login sessions for just 3 connections? That is not right, no matter
> >> what.
> >
> >>> No, login_processes_count matters.
> >
> > How? If my understanding is correct, you have extra 3 login processes
> > created to cater to new connections. So with only 3 POP3 users, why should
> > so many login processes be spawned? I can understand 10-15. But 100
> > definitely indicates either the processes are not dying or something else
> > happening on the system which is causing such high number of login
> > processes. The system definitely needs to be checked for some kind of
> > attack, a rogue process running on the system or something else.
> >
> > Regards
> > --Rao
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090625/e285b5eb/attachment.bin
More information about the dovecot
mailing list