Am Donnerstag, den 04.06.2009, 14:53 +0200 schrieb Cédric Laruelle:
Reproduced on 1.1.14 too and really problematic for me
Curious question:
Why is it so problematic for you?
As stated in my original post you only have to set auth_verbose to yes to get it logged. With that you can always block the attacker with a little script (fail2ban,..).
Henry
-----Message d'origine----- De : dovecot-bounces+laruellec=aiderdonner.com@dovecot.org [mailto:dovecot-bounces+laruellec=aiderdonner.com@dovecot.org] De la part de Noel Butler Envoyé : jeudi 4 juin 2009 12:48 À : henry ritzlmayr Cc : dovecot@dovecot.org Objet : Re: [Dovecot] Dovecot under brute force attack - nice attacker
On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote:
Hi List,
optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior.
Dovecot Version 1.0.7 (CentOS 5.2)
The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted login: user=<test>,......
The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
How to reproduce: telnet dovecot-server pop3 user test pass test1 user test pass test2 ... QUIT ->Only the last try gets logged.
Verified with 1.1.6 as well, nice catch Henry.