[Dovecot] Under POP attack - now to prevent?
Looks like we are under a dictionary login attack on our POP server:
Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<atlanta>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Any suggestions on how to prevent this?
Using Dovecot 1.2RC4
Thanks,
James.
James Brown wrote:
Jun 5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<atlanta>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9
Any suggestions on how to prevent this?
Using Dovecot 1.2RC4
Route that address to localhost? Works here :)
There are various automated tools, like fail2ban, which can help with this -- if you're using a setup they can hook into.
-- Curtis Maloney cmaloney@cardgate.net
Am Freitag, den 05.06.2009, 12:04 +1000 schrieb James Brown:
Looks like we are under a dictionary login attack on our POP server:
Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Since the attacker is playing nice you could also limit the maximum connection attempts to the pop3 port in a given timeframe. And if that limit is reached block the ip for a certain amount of time. If you firewall with netfilter, hashlimit is your friend.
Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next attempt should grow. When I take a look at your timestamps this is obviously not working on your system.
Henry
On Jun 5, 2009, at 2:07 AM, henry ritzlmayr wrote:
Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next
attempt should grow. When I take a look at your timestamps this is obviously
not working on your system.
That's because the client disconnects between attempts. Currently the
delay increase is done only within a single session.
Am Freitag, den 05.06.2009, 02:26 -0400 schrieb Timo Sirainen:
On Jun 5, 2009, at 2:07 AM, henry ritzlmayr wrote:
Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next
attempt should grow. When I take a look at your timestamps this is obviously
not working on your system.That's because the client disconnects between attempts. Currently the
delay increase is done only within a single session.
Ok, if thats so please really consider the possibility to disconnect a user if he/she provides the wrong credentials. Otherwise we would have to deal with two kinds of attackers on two places. The ones which don't disconnect themselves would have to be handled by dovecot (growing delay) and the ones which disconnect would have to be handled by firewall/fail2ban etc. I personally prefer (I'm sure you figured that already) a centralized approach on the firewall.
Have a nice trip to frisco Henry
- James Brown jlbrown@bordo.com.au:
Looks like we are under a dictionary login attack on our POP server: ...
Any suggestions on how to prevent this?
apt-get install fail2ban
-- Ralf Hildebrandt Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.computerbeschimpfung.de May's Law: The quality of correlation is inversely proportional to the density of control. (The fewer data points, the smoother the curves.)
participants (5)
-
Curtis Maloney
-
henry ritzlmayr
-
James Brown
-
Ralf Hildebrandt
-
Timo Sirainen