[Dovecot] Would attempting plaintext auth repeatably cause a DOS and server to crash?
Hey All,
I'm just wondering whether this is what caused my server to crash.
Started last night in NZ land.
Jun 20 19:22:11 elm dovecot: imap-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=attackerip, lip=10.0.0.3, session=<0C8LzpDfZQDINsQC>
occasionally get
Jun 20 19:22:52 elm dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=attackerip, lip=10.0.0.3, session=<bHdz0JDfpwDINsQC> or in 0 secs
last at Jun 20 19:26:24 elm dovecot: imap-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=attackerip, lip=10.0.0.3, session=<1MUR3ZDfcwDINsQC>
and a minute later the server lost contact to the world. When I checked a bit later, the underlying host machine (dovecot runs on a VM (KVM)) had been powered off.
Now, here in NZ land, there was also a crazy storm last night, and lots of brown outs. There could potentially of been a surge that killed it, but the UPS was still running fine when I started it again.
The "attack" lasted around 4 minutes, in which there was 1161 lines in the log for a single attacker ip, and no other similar logs previously.
Would this be enough to kill not only the VM running dovecot, but the underlying host machine?
All up to date with patches, running debian stable (wheezy). dovecot-core debian package version 1:2.1.7-7 dovecot version 2.1.7 I notice there is a version 2.2.3 out, but not in debian yet. Could this fix this issue? I don't particularly want to have it happen again :D.
Any thoughts?
Cheers,
Hugh
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 21 Jun 2013, Hugh Davenport wrote:
and a minute later the server lost contact to the world. When I checked a bit later, the underlying host machine (dovecot runs on a VM (KVM)) had been powered off.
I cannot believe that a DoS of a guest VM causes the host machine to power off.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUcQCtl3r2wJMiz2NAQIufggAr5cbKwdTNBIC7+RqhXAMN4N0C+964Bn0 Nlj5bxgZOo1KxqhRbxkvuiH5BRs7kQ/o7Nr7O7xbO0YPbMt3lQTGnsbKdPgbKv7a ojqbSsXCxHOZkzNRkW4pDRty8JMEGQ0oSMBzRbVlMrS+9g+5FtFkPmOHFnHfEJ39 a91+O34fa42TbQgjmVPMWZQr6Oy6JtDcy7fhdzI8d5iPv5KI/rL81hSTr9bm7spk ma4rBOKZfkd66In8BkqJPNRMIgP7kyhGrrLxgOr4HlcgkxAm4+zo/eBAGQruM4u+ RcNa3IFTf0BpFrqL43XXS8ViqS5z16L4a/MPnHFZc8rzLKldolI97Q== =bCZ0 -----END PGP SIGNATURE-----
I doubt that the 1161 log lines would cause the VM to crash. It would potentially cause the logging directory to fill up if you have a small /var partition where the logs are kept and at that point it could potentially freeze the VM, but not cause the host to crash. I think your issue revolves around the storms. I also do not consider a 1161 log lines a DoS. If it takes 1161 lines of failure entries to deny service to your server, then I would take a look at your setup.
On Fri, Jun 21, 2013 at 3:37 AM, Steffen Kaiser < skdovecot@smail.inf.fh-brs.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 21 Jun 2013, Hugh Davenport wrote:
and a minute later the server lost contact to the world. When I checked a
bit later, the underlying host machine (dovecot runs on a VM (KVM)) had been powered off.
I cannot believe that a DoS of a guest VM causes the host machine to power off.
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUcQCtl3r2wJMiz2NAQIufg**gAr5cbKwdTNBIC7+RqhXAMN4N0C+**964Bn0 Nlj5bxgZOo1KxqhRbxkvuiH5BRs7kQ**/**o7Nr7O7xbO0YPbMt3lQTGnsbKdPgbK**v7a ojqbSsXCxHOZkzNRkW4pDRty8JMEGQ**0oSMBzRbVlMrS+9g+**5FtFkPmOHFnHfEJ39 a91+**O34fa42TbQgjmVPMWZQr6Oy6JtDcy7**fhdzI8d5iPv5KI/rL81hSTr9bm7spk ma4rBOKZfkd66In8BkqJPNRMIgP7ky**hGrrLxgOr4HlcgkxAm4+zo/**eBAGQruM4u+ RcNa3IFTf0BpFrqL43XXS8ViqS5z16**L4a/MPnHFZc8rzLKldolI97Q== =bCZ0 -----END PGP SIGNATURE-----
-- Daniel Reinhardt cryptodan@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
participants (3)
-
Daniel Reinhardt
-
Hugh Davenport
-
Steffen Kaiser