[Dovecot] Dovecot under brute force attack - nice attacker

Cédric Laruelle laruellec at aiderdonner.com
Thu Jun 4 15:53:57 EEST 2009


Reproduced on 1.1.14 too and really problematic for me

-----Message d'origine-----
De : dovecot-bounces+laruellec=aiderdonner.com at dovecot.org
[mailto:dovecot-bounces+laruellec=aiderdonner.com at dovecot.org] De la part de
Noel Butler
Envoyé : jeudi 4 juin 2009 12:48
À : henry ritzlmayr
Cc : dovecot at dovecot.org
Objet : Re: [Dovecot] Dovecot under brute force attack - nice attacker

On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote:

> Hi List, 
> 
> optimizing the configuration on one of our servers (which was
> hit by a brute force attack on dovecot) showed an odd behavior. 
> 
> Dovecot Version 1.0.7 (CentOS 5.2)
> 
> The short story:
> On one of our servers an attacker did a brute force 
> attack on dovecot (pop3). 
> Since the attacker closed and reopened the connection 
> after every user/password combination the logs showed 
> many lines like this:
> dovecot: pop3-login: Aborted login: user=<test>,......
> 
> The problem:
> If the attacker wouldn't have closed and reopened the connection
> no log would have been generated and he/she would have endless 
> tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
> 
> How to reproduce:
> telnet dovecot-server pop3
> user test
> pass test1
> user test
> pass test2
> ...
> QUIT
> ->Only the last try gets logged.
> 



Verified with 1.1.6 as well, nice catch Henry.




More information about the dovecot mailing list