[CentOS] Dovecot under brute force attack - nice attacker
henry ritzlmayr
centos at rc0.at
Tue Jun 2 13:51:23 UTC 2009
Hi List,
optimizing the configuration on one of our servers (which was
hit by a brute force attack on dovecot) showed an odd behavior.
The short story:
On one of our servers an attacker did a brute force
attack on dovecot (pop3).
Since the attacker closed and reopened the connection
after every user/password combination the logs showed
many lines like this:
dovecot: pop3-login: Aborted login: user=<test>,......
The problem:
If the attacker wouldn't have closed and reopened the connection
no log would have been generated and he/she would have endless
tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
How to reproduce:
telnet dovecot-server pop3
user test
pass test1
user test
pass test2
...
QUIT
->Only the last try gets logged.
Question:
Is there any way to close the connection after the
first wrong user/pass combination. So an attacker would be forced
to reopen it?
Any other Ideas?
Henry
More information about the CentOS
mailing list