[Dovecot] Dovecot under brute force attack - nice attacker
Noel Butler
noel.butler at ausics.net
Fri Jun 5 01:07:35 EEST 2009
On Thu, 2009-06-04 at 18:58 +0200, henry ritzlmayr wrote:
> Am Donnerstag, den 04.06.2009, 18:27 +0200 schrieb Steve:
> > > The Idea is good but I guess an option to just disconnect the attacker
> > > wouldn't hurt in the config file?
> > >
> > Is that not the wrong approach? I mean: all you wanted is to have a log entry showing when there was a username/password mismatch when logging in. And you found out that with normal logging options that log entry only shows up if the connection get's disconnected. Right? So would it not be better to have an option to log ANY username/password login mismatch even if the user/attacker does not disconnect?
>
> Right, logging a wrong username/password should always be done.
> That's one reason why I favor a disconnect. Almost any service
> logs a disconnect - so does dovecot.
>
Also, I think not disconnecting is only supportive to those who want to
run scripts as such and perform brute force attacks
or hacks, I can see no reason why, if you fail as user unknown, you
should not be dropped.
More information about the dovecot
mailing list