[Dovecot] Dovecot under brute force attack - nice attacker
henry ritzlmayr
dovecot at rc0.at
Thu Jun 4 17:18:30 EEST 2009
Am Donnerstag, den 04.06.2009, 14:53 +0200 schrieb Cédric Laruelle:
> Reproduced on 1.1.14 too and really problematic for me
Curious question:
Why is it so problematic for you?
As stated in my original post you only have to set auth_verbose to yes
to get it logged. With that you can always block the attacker with
a little script (fail2ban,..).
Henry
> -----Message d'origine-----
> De : dovecot-bounces+laruellec=aiderdonner.com at dovecot.org
> [mailto:dovecot-bounces+laruellec=aiderdonner.com at dovecot.org] De la part de
> Noel Butler
> Envoyé : jeudi 4 juin 2009 12:48
> À : henry ritzlmayr
> Cc : dovecot at dovecot.org
> Objet : Re: [Dovecot] Dovecot under brute force attack - nice attacker
>
> On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote:
>
> > Hi List,
> >
> > optimizing the configuration on one of our servers (which was
> > hit by a brute force attack on dovecot) showed an odd behavior.
> >
> > Dovecot Version 1.0.7 (CentOS 5.2)
> >
> > The short story:
> > On one of our servers an attacker did a brute force
> > attack on dovecot (pop3).
> > Since the attacker closed and reopened the connection
> > after every user/password combination the logs showed
> > many lines like this:
> > dovecot: pop3-login: Aborted login: user=<test>,......
> >
> > The problem:
> > If the attacker wouldn't have closed and reopened the connection
> > no log would have been generated and he/she would have endless
> > tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
> >
> > How to reproduce:
> > telnet dovecot-server pop3
> > user test
> > pass test1
> > user test
> > pass test2
> > ...
> > QUIT
> > ->Only the last try gets logged.
> >
>
>
>
> Verified with 1.1.6 as well, nice catch Henry.
>
>
>
More information about the dovecot
mailing list