[Dovecot] Dovecot under brute force attack - nice attacker
henry ritzlmayr
dovecot at rc0.at
Thu Jun 4 13:16:00 EEST 2009
Hi List,
optimizing the configuration on one of our servers (which was
hit by a brute force attack on dovecot) showed an odd behavior.
Dovecot Version 1.0.7 (CentOS 5.2)
The short story:
On one of our servers an attacker did a brute force
attack on dovecot (pop3).
Since the attacker closed and reopened the connection
after every user/password combination the logs showed
many lines like this:
dovecot: pop3-login: Aborted login: user=<test>,......
The problem:
If the attacker wouldn't have closed and reopened the connection
no log would have been generated and he/she would have endless
tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
How to reproduce:
telnet dovecot-server pop3
user test
pass test1
user test
pass test2
...
QUIT
->Only the last try gets logged.
If I enable auth_verbose every attempt gets logged, but if I read the
docs correctly this option should only be used for figuring out why
authentication isn't working.
Question:
Is there any way to close the connection after the
first wrong user/pass combination. So an attacker would be forced
to reopen it?
This would be perfect since an easy iptables/hashlimit would avoid
such a brute force attack.
Any other Ideas?
Henry
More information about the dovecot
mailing list