Well, after going through my log files, I was hit with a dictionary based attack. My maillog is full of about 20,000 lines of crap like this:
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<warren>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2 Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<williams>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2 Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<www>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2 Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<wilson>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2 Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<willy>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2 Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<valerie>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Starts with "A" and runs all the way to "Z". The IP traces back to cable modem subscriber on Cox Communications out of Arizona. I'll shoot them off my "standard" attack e-mail.
In the meantime, I need to modify fail2ban so that it checks the maillog for failed pop3 auth logins and bans IP's so this won't happen again.
Rodman
----- Original Message ----- From: "V S Rao" viriyala@yahoo.com To: dovecot@dovecot.org Sent: Thursday, June 25, 2009 1:15 PM Subject: Re: [Dovecot] Lots of pop3-logins
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of "pop3-login's going on. This is a production mail server, but it is getting VERY low traffic. In fact, only 3 people can "pop3" into it. I've check their e-mail clients, and they are not checking mail any more often than every 5 minutes.
This is a new installation and I've had the server up and running since Sunday. If it matters, I'm using Postfix for the MTA and using the Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
100 login sessions for just 3 connections? That is not right, no matter what.
No, login_processes_count matters.
How? If my understanding is correct, you have extra 3 login processes created to cater to new connections. So with only 3 POP3 users, why should so many login processes be spawned? I can understand 10-15. But 100 definitely indicates either the processes are not dying or something else happening on the system which is causing such high number of login processes. The system definitely needs to be checked for some kind of attack, a rogue process running on the system or something else.
Regards --Rao