Throttling pop3-login connections

Alex mysqlstudent at gmail.com
Sat Aug 9 16:23:23 UTC 2014


Hi,

> > I have a fedora20 system with dovecot-2.2.13 running various services,
> > including pop3. I'm noticing some users are frequently hamming pop3, and
> > wondered if this was normal, or something I should be investigating?
> >
> > Aug  8 14:05:20 email dovecot: pop3-login: Login: user=<user1>,
> > method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509,
> > session=<DnRtDCIAUQBhTXN5>
> > Aug  8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out
> > top=0/0, retr=0/0, del=0/15, size=5693601
> >
> > So it is immediately followed by a logout, but when there are 50 of them
> > successively in a five minute period, I wondered if it is creating
> > unnecessary overhead on the system?
> >
> > I suppose this most likely is how they have their email client
configured,
> > but wondered if some throttling would be necessary?
> >
> > Any advice would be most appreciated.
> > Thanks,
> > Alex
> >
>
> depends if this are your users, or if its brute force
> pop3 has not much overhead, to fight brute force use fail2ban

Yes, I've implemented fail2ban, and it's working pretty well. It does now
look like brute force.

When/if they complain to the helpdesk, we'll deal with it then.

> https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

This is also helpful, thanks.

Thanks,
Alex


More information about the dovecot mailing list