Throttling pop3-login connections
Robert Schetterer
rs at sys4.de
Sat Aug 9 06:48:41 UTC 2014
Am 08.08.2014 um 20:11 schrieb Alex:
> Hi,
>
> I have a fedora20 system with dovecot-2.2.13 running various services,
> including pop3. I'm noticing some users are frequently hamming pop3, and
> wondered if this was normal, or something I should be investigating?
>
> Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>,
> method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509,
> session=<DnRtDCIAUQBhTXN5>
> Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out
> top=0/0, retr=0/0, del=0/15, size=5693601
>
> So it is immediately followed by a logout, but when there are 50 of them
> successively in a five minute period, I wondered if it is creating
> unnecessary overhead on the system?
>
> I suppose this most likely is how they have their email client configured,
> but wondered if some throttling would be necessary?
>
> Any advice would be most appreciated.
> Thanks,
> Alex
>
depends if this are your users, or if its brute force
pop3 has not much overhead, to fight brute force use fail2ban
or you may have a look here
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
but be aware with NAT by blocking ips
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the dovecot
mailing list