Hi,

I was just looking for some advice on avoiding getting DoS'd from brute force log in attempts. We came in this morning to find that one of our Solaris 9 dovecot severs had wedged overnight due to a brute force connection attempt to pop3 from Brasil. In the span of about 15 seconds we received 342 connection auth attempts from the same IP:

Sep 3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] auth(default): new auth connection: pid=16862 Sep 3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] auth(default): new auth connection: pid=16863 Sep 3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] pop3-login: Login failed: Plaintext authentication disabled: rip=189.99.178.15, lip=xxxxx Sep 3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] pop3-login: Aborted login (tried to use disabled plaintext auth): rip=189.99.178.15, lip=xxxxx

Dovecot finally wedged silently and without complaint, becoming completely unresponsive. I had to kill -9 it this morning in order to restart the service. Once possibility I considered was that the dovecot user process limit was reached, but this is set to 1024, and I didn't see any errors or warnings anywhere in the logs.

login_max_processes_count = 256 max_mail_processes = 1024

With the above I would think it would have been able to handle it gracefully, but apparently it did not. ulimit -n 2048 is also set on dovecot startup for the fd limit.

Any suggestions on what I could tweak to prevent this from happening in the future?

dovecot -n output:

Note I upgraded to 1.2.4 this morning while it was already down. We were running either 1.2.0 or 1.2.1 last night, sorry didn't think to check first. ;)

bash-2.05# ulimit -n 2048; dovecot -n # 1.2.4: /usr/local/etc/dovecot.conf # OS: SunOS 5.9 sun4u protocols: imap imaps pop3 pop3s ssl_cert_file: /usr/local/ssl/certs/nbcs.key+crt.pem ssl_key_file: /usr/local/ssl/certs/nbcs.key+crt.pem login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login login_max_processes_count: 256 max_mail_processes: 1024 mail_location: maildir:~/Maildir:INDEX=/toolbox/nqu%h/dovecot:CONTROL=/toolbox/nqu%h/dovecot mmap_disable: yes mail_nfs_storage: yes mail_nfs_index: yes mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugins(default): quota imap_quota fts fts_squat mail_plugins(imap): quota imap_quota fts fts_squat mail_plugins(pop3): quota mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 pop3_uidl_format(default): %08Xu%08Xv pop3_uidl_format(imap): %08Xu%08Xv pop3_uidl_format(pop3): UID%u-%v namespace: type: private separator: . prefix: INBOX. inbox: yes list: yes subscriptions: yes lda: postmaster_address: postmaster@jla.rutgers.edu auth default: verbose: yes debug: yes passdb: driver: pam args: * userdb: driver: passwd plugin: quota: fs fts: squat fts_squat: partial=4 full=4

--

David Halik System Administrator OIT-CSS Rutgers University dhalik@jla.rutgers.edu