Re: dovecot auth using 100% CPU
Jorge Bastos <mysql.jorge@decimal.pt> wrote:
What do you see in the logs? My guess is that someone is trying a brute force auth against you,
Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP authentication. The exim4 logs show brute force attacks.
-- Edward.
Edward Betts <edward@4angle.com>:
Jorge Bastos <mysql.jorge@decimal.pt> wrote:
What do you see in the logs? My guess is that someone is trying a brute force auth against you,
Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP authentication. The exim4 logs show brute force attacks.
A little late response, but since you're using debian you could try pulling in fail2ban: apt-get install fail2ban
fail2ban scans the logs of various services for attacks and firewalls out the attacking IP addresses.
There are no built-in rules for exim or dovecot in the debian fail2ban package, but there is something here that could possibly be adapted...? http://wiki2.dovecot.org/HowTo/Fail2Ban
Here's a filter for exim: https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/exim.conf
Am Freitag, den 03.07.2015, 14:28 +0200 schrieb Steinar Bang:
fail2ban scans the logs of various services for attacks and firewalls out the attacking IP addresses.
There are no built-in rules for exim or dovecot in the debian fail2ban package, but there is something here that could possibly be adapted...?
Are you talking about wheezy or jessie? jessie has rules. But they need to be enabled like this:
# cat /etc/fail2ban/jail.d/local.conf [exim] enabled = true
[exim-spam] enabled = true
[dovecot] enabled = true
Felix Zielcke <fzielcke@z-51.de>:
Are you talking about wheezy or jessie?
Well I looked on a jessie system, but the fail2ban was pulled in when it was wheezy (or maybe even easier).
jessie has rules. But they need to be enabled like this:
# cat /etc/fail2ban/jail.d/local.conf [exim] enabled = true
[exim-spam] enabled = true
[dovecot] enabled = true
Ok, thanks!
Am Freitag, den 03.07.2015, 21:53 +0200 schrieb Steinar Bang:
Felix Zielcke <fzielcke@z-51.de>:
Are you talking about wheezy or jessie?
Well I looked on a jessie system, but the fail2ban was pulled in when it was wheezy (or maybe even easier).
They're in /etc/fail2ban/filter.d
And yes I also needed a while to figure this system out. Escpecially that they need to be enabled in a jaild/*.conf file.
Though this is a fresh Debian jessie install. And files in /etc are specially handled on upgrades, instead of all the other files in a Debian package.
participants (3)
-
Edward Betts
-
Felix Zielcke
-
Steinar Bang