[Dovecot] 64.31.19.48 attempt to break into my computer
Charles Marcus
CMarcus at Media-Brokers.com
Thu Sep 22 17:08:08 EEST 2011
On 2011-09-19 1:05 PM, Rick Baartman <baartman at lin12.triumf.ca> wrote:
> From my secure log:
>
> Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
> Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48
> Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron
> Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
> Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48
> Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby
>
> etc. Literally, 30,000 user names attempted.
Dictionaryt attacks are quite common, nothing new here...
fail2ban is what I use, would have killed this one (since it's from the
same IP) almost immediately...
It doesn't work so well with sophisticated bots that can change IPs at
will, but the secondary method of locking out an account after X number
of failed auth attempts will eliminate the risk of a focused attack on a
single account, so as long as you are using strong passwords, your
system is secure (from these kinds of attacks, at least).
The only attack I haven't figured out how to eliminate is the
social/phishing attack, where $DumbUser gives out their username
password voluntarily... although I have been considering faking a
phishing attack on my own users, and flagging the ones who fall for it
for training.
--
Best regards,
Charles
More information about the dovecot
mailing list