Am Donnerstag, den 04.06.2009, 09:51 -0700 schrieb Mark Sapiro:
On Thu, Jun 04, 2009 at 12:16:00PM +0200, henry ritzlmayr wrote:
The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
How to reproduce: telnet dovecot-server pop3 user test pass test1 user test pass test2 ... QUIT ->Only the last try gets logged.
I see the same thing with Dovecot 1.2.rc4 on CentOS 5, but pam logs every failed attempt:
Jun 4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=zzz rhost=127.0.0.1 Jun 4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mmm rhost=127.0.0.1
So, fail2ban will block based on the pam log.
Good to know. We have ldap here, but it certainly would be possible to do the authentication through pam->ldap.
thanks Henry