[Dovecot] Would attempting plaintext auth repeatably cause a DOS and server to crash?

Hugh Davenport hugh at davenport.net.nz
Fri Jun 21 01:05:00 EEST 2013


Hey All,

I'm just wondering whether this is what caused my server to crash.

Started last night in NZ land.

Jun 20 19:22:11 elm dovecot: imap-login: Disconnected (tried to use 
disallowed plaintext auth): user=<>, rip=attackerip, lip=10.0.0.3, 
session=<0C8LzpDfZQDINsQC>

occasionally get

Jun 20 19:22:52 elm dovecot: imap-login: Disconnected (no auth attempts 
in 1 secs): user=<>, rip=attackerip, lip=10.0.0.3, 
session=<bHdz0JDfpwDINsQC>
or in 0 secs

last at
Jun 20 19:26:24 elm dovecot: imap-login: Disconnected (tried to use 
disallowed plaintext auth): user=<>, rip=attackerip, lip=10.0.0.3, 
session=<1MUR3ZDfcwDINsQC>

and a minute later the server lost contact to the world. When I checked 
a bit later,
the underlying host machine (dovecot runs on a VM (KVM)) had been 
powered off.

Now, here in NZ land, there was also a crazy storm last night, and lots 
of brown outs.
There could potentially of been a surge that killed it, but the UPS was 
still running
fine when I started it again.

The "attack" lasted around 4 minutes, in which there was 1161 lines in 
the log for a
single attacker ip, and no other similar logs previously.

Would this be enough to kill not only the VM running dovecot, but the 
underlying host
machine?

All up to date with patches, running debian stable (wheezy).
dovecot-core debian package version 1:2.1.7-7
dovecot version 2.1.7
I notice there is a version 2.2.3 out, but not in debian yet. Could this 
fix this
issue? I don't particularly want to have it happen again :D.

Any thoughts?

Cheers,

Hugh


More information about the dovecot mailing list