[Dovecot] 64.31.19.48 attempt to break into my computer

Charles Marcus CMarcus at Media-Brokers.com
Thu Sep 22 17:08:08 EEST 2011


On 2011-09-19 1:05 PM, Rick Baartman <baartman at lin12.triumf.ca> wrote:
>  From my secure log:
>
> Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
> Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48
> Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron
> Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
> Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48
> Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby
>
> etc. Literally, 30,000 user names attempted.

Dictionaryt attacks are quite common, nothing new here...

fail2ban is what I use, would have killed this one (since it's from the 
same IP) almost immediately...

It doesn't work so well with sophisticated bots that can change IPs at 
will, but the secondary method of locking out an account after X number 
of failed auth attempts will eliminate the risk of a focused attack on a 
single account, so as long as you are using strong passwords, your 
system is secure (from these kinds of attacks, at least).

The only attack I haven't figured out how to eliminate is the 
social/phishing attack, where $DumbUser gives out their username 
password voluntarily... although I have been considering faking a 
phishing attack on my own users, and flagging the ones who fall for it 
for training.

-- 

Best regards,

Charles


More information about the dovecot mailing list