-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In my dovecot.conf I do not have pop3-login anabled (since I do not support pop3):
# doveconf -n # 2.2.5: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE i386 auth_mechanisms = CRAM-MD5 DIGEST-MD5 APOP LOGIN PLAIN disable_plaintext_auth = no first_valid_uid = 89 log_path = /var/log/dovecot login_log_format_elements = user=<%u> %r %m %c mail_location = maildir:~/Maildir mail_max_userip_connections = 50 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox NotJunk { auto = subscribe } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service imap-login { inet_listener imaps { port = 993 ssl = yes } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-sql.conf.ext default_fields = uid=vpopmail gid=vchkpw mail_location=/usr/local/virtual/%u driver = sql }
but I see thousands (tens of thousands) of
dovecot:Aug 18 14:26:06 pop3-login: Info: Aborted login (auth failed, 1 attempts in 17 secs): user=<john>, method=PLAIN, rip=74.95.82.150,
dovecot:Aug 18 14:26:10 pop3-login: Info: Aborted login (auth failed, 1 attempts in 17 secs): user=<john>, method=PLAIN, rip=74.95.82.150,
dovecot:Aug 18 14:26:13 pop3-login: Info: Aborted login (auth failed, 1 attempts in 17 secs): user=<john>, method=PLAIN, rip=74.95.82.150,
dovecot:Aug 18 14:26:15 pop3-login: Info: Aborted login (auth failed, 1 attempts in 17 secs): user=<john>, method=PLAIN, rip=74.95.82.150,
dovecot:Aug 18 14:26:16 pop3-login: Info: Aborted login (auth failed, 1 attempts in 17 secs): user=<john>, method=PLAIN, rip=74.95.82.150,
dovecot:Aug 18 14:26:18 pop3-login: Info: Aborted login (auth failed, 1 attempts in 17 secs): user=<john>, method=PLAIN, rip=74.95.82.150,
LuKreme wrote the following on 26.08.2013 06:42: lip=75.148.117.93, session=<+VcroT7kUgBKX1KW> lip=75.148.117.93, session=<kbNdoT7kWwBKX1KW> lip=75.148.117.93, session=<rRWQoT7kWgBKX1KW> lip=75.148.117.91, session=<feCpoT7kfwBKX1KW> lip=75.148.117.93, session=<lmTCoT7kiQBKX1KW> lip=75.148.117.91, session=<5oPcoT7ktABKX1KW>
Yes, I need to install fail2ban or something on this new machine, but
still...
Besides of the above, if you are not going to use POP3 at all I would close port 110 and port 995 with DROP to let to go these accesses to nowhere. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32)
iQEcBAEBAgAGBQJSGqVsAAoJEKYXVM1dyOfZYEIH+wT//iSbLbn7mwruVTm7N7vC G4NIUduFeW/s+zFJ+36QwPHG+gGnSM0uDk0upfeytjh0IMh0ADRZGhKQ/A3wnQy+ qNsu1Cvy5GsBag1mi4gJndJoPPZe8JAMaHncbm6lAN3s5wDFGtqyT7V/4BYUSsmV NkeWayP/r6NK9LCKsV2jnxJvdSyn20iiViMRYWRqNViPyvmlUKEpkjSqbGhDPpv4 DYCKBx1DO17j2S2nbpeqYEuQoZNkHVWi10UzLBFt05Ubt0AIMMIGcTOcPzZftn5a UL1d8M7JvGDd50u9B4/Xh8zdr8PKZT05kpPqMe0rVDNkwHpUe9Se/oyfXNwU2tk= =rKgv -----END PGP SIGNATURE-----