Am 08.08.2014 um 20:11 schrieb Alex:
Hi,
I have a fedora20 system with dovecot-2.2.13 running various services, including pop3. I'm noticing some users are frequently hamming pop3, and wondered if this was normal, or something I should be investigating?
Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>, method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509, session=<DnRtDCIAUQBhTXN5> Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out top=0/0, retr=0/0, del=0/15, size=5693601
So it is immediately followed by a logout, but when there are 50 of them successively in a five minute period, I wondered if it is creating unnecessary overhead on the system?
I suppose this most likely is how they have their email client configured, but wondered if some throttling would be necessary?
Any advice would be most appreciated. Thanks, Alex
depends if this are your users, or if its brute force pop3 has not much overhead, to fight brute force use fail2ban
or you may have a look here
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
but be aware with NAT by blocking ips
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein