[Dovecot] avoiding DoS

David Halik dhalik at jla.rutgers.edu
Thu Sep 3 18:07:18 EEST 2009 

Hi,

I was just looking for some advice on avoiding getting DoS'd from brute 
force log in attempts. We came in this morning to find that one of our 
Solaris 9 dovecot severs had wedged overnight due to a brute force 
connection attempt to pop3 from Brasil. In the span of about 15 seconds 
we received 342 connection auth attempts from the same IP:

Sep  3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] auth(default): new 
auth connection: pid=16862
Sep  3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] auth(default): new 
auth connection: pid=16863
Sep  3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] pop3-login: Login 
failed: Plaintext authentication disabled: rip=189.99.178.15, lip=xxxxx
Sep  3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] pop3-login: Aborted 
login (tried to use disabled plaintext auth): rip=189.99.178.15, lip=xxxxx

Dovecot finally wedged silently and without complaint, becoming 
completely unresponsive. I had to kill -9 it this morning in order to 
restart the service. Once possibility I considered was that the dovecot 
user process limit was reached, but this is set to 1024, and I didn't 
see any errors or warnings anywhere in the logs.

login_max_processes_count = 256
max_mail_processes = 1024

With the above I would think it would have been able to handle it 
gracefully, but apparently it did not. ulimit -n 2048 is also set on 
dovecot startup for the fd limit.

Any suggestions on what I could tweak to prevent this from happening in 
the future?

dovecot -n output:

Note I upgraded to 1.2.4 this morning while it was already down. We were 
running either 1.2.0 or 1.2.1 last night, sorry didn't think to check 
first. ;)

bash-2.05# ulimit -n 2048; dovecot -n
# 1.2.4: /usr/local/etc/dovecot.conf
# OS: SunOS 5.9 sun4u
protocols: imap imaps pop3 pop3s
ssl_cert_file: /usr/local/ssl/certs/nbcs.key+crt.pem
ssl_key_file: /usr/local/ssl/certs/nbcs.key+crt.pem
login_dir: /usr/local/var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
login_max_processes_count: 256
max_mail_processes: 1024
mail_location: 
maildir:~/Maildir:INDEX=/toolbox/nqu%h/dovecot:CONTROL=/toolbox/nqu%h/dovecot
mmap_disable: yes
mail_nfs_storage: yes
mail_nfs_index: yes
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_plugins(default): quota imap_quota fts fts_squat
mail_plugins(imap): quota imap_quota fts fts_squat
mail_plugins(pop3): quota
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
pop3_uidl_format(default): %08Xu%08Xv
pop3_uidl_format(imap): %08Xu%08Xv
pop3_uidl_format(pop3): UID%u-%v
namespace:
   type: private
   separator: .
   prefix: INBOX.
   inbox: yes
   list: yes
   subscriptions: yes
lda:
   postmaster_address: postmaster at jla.rutgers.edu
auth default:
   verbose: yes
   debug: yes
   passdb:
     driver: pam
     args: *
   userdb:
     driver: passwd
plugin:
   quota: fs
   fts: squat
   fts_squat: partial=4 full=4




-- 
================================
David Halik
System Administrator
OIT-CSS Rutgers University
dhalik at jla.rutgers.edu
================================

More information about the dovecot mailing list