On 2011-09-19 1:05 PM, Rick Baartman baartman@lin12.triumf.ca wrote:
From my secure log:
Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby
etc. Literally, 30,000 user names attempted.
Dictionaryt attacks are quite common, nothing new here...
fail2ban is what I use, would have killed this one (since it's from the same IP) almost immediately...
It doesn't work so well with sophisticated bots that can change IPs at will, but the secondary method of locking out an account after X number of failed auth attempts will eliminate the risk of a focused attack on a single account, so as long as you are using strong passwords, your system is secure (from these kinds of attacks, at least).
The only attack I haven't figured out how to eliminate is the social/phishing attack, where $DumbUser gives out their username password voluntarily... although I have been considering faking a phishing attack on my own users, and flagging the ones who fall for it for training.
--
Best regards,
Charles