[Dovecot] Dovecot under brute force attack - nice attacker

Mark Sapiro mark at msapiro.net
Thu Jun 4 19:51:37 EEST 2009


On Thu, Jun 04, 2009 at 12:16:00PM +0200, henry ritzlmayr wrote:
> 
> The problem:
> If the attacker wouldn't have closed and reopened the connection
> no log would have been generated and he/she would have endless 
> tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
> 
> How to reproduce:
> telnet dovecot-server pop3
> user test
> pass test1
> user test
> pass test2
> ...
> QUIT
> ->Only the last try gets logged.


I see the same thing with Dovecot 1.2.rc4 on CentOS 5, but pam logs every
failed attempt:

Jun  4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
Jun  4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=zzz rhost=127.0.0.1
Jun  4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
Jun  4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mmm rhost=127.0.0.1

So, fail2ban will block based on the pam log.

-- 
Mark Sapiro mark at msapiro net       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the dovecot mailing list