Hi,
I have a fedora20 system with dovecot-2.2.13 running various services, including pop3. I'm noticing some users are frequently hamming pop3, and wondered if this was normal, or something I should be investigating?
Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>, method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509, session=<DnRtDCIAUQBhTXN5> Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out top=0/0, retr=0/0, del=0/15, size=5693601
So it is immediately followed by a logout, but when there are 50 of them successively in a five minute period, I wondered if it is creating unnecessary overhead on the system?
I suppose this most likely is how they have their email client configured, but wondered if some throttling would be necessary?
Any advice would be most appreciated. Thanks, Alex
depends if this are your users, or if its brute force pop3 has not much overhead, to fight brute force use fail2ban
Yes, I've implemented fail2ban, and it's working pretty well. It does now look like brute force.
When/if they complain to the helpdesk, we'll deal with it then.
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
This is also helpful, thanks.
Thanks, Alex