[CentOS] Dovecot under brute force attack - nice attacker
Henry Ritzlmayr
fedora-list at rc0.at
Thu Jun 4 06:25:19 UTC 2009
Am Dienstag, den 02.06.2009, 14:13 -0700 schrieb Scott Silva:
> on 6-2-2009 5:51 AM henry ritzlmayr spake the following:
> > Hi List,
> >
> > optimizing the configuration on one of our servers (which was
> > hit by a brute force attack on dovecot) showed an odd behavior.
> >
> > The short story:
> > On one of our servers an attacker did a brute force
> > attack on dovecot (pop3).
> > Since the attacker closed and reopened the connection
> > after every user/password combination the logs showed
> > many lines like this:
> > dovecot: pop3-login: Aborted login: user=<test>,......
> >
> > The problem:
> > If the attacker wouldn't have closed and reopened the connection
> > no log would have been generated and he/she would have endless
> > tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
> >
> > How to reproduce:
> > telnet dovecot-server pop3
> > user test
> > pass test1
> > user test
> > pass test2
> > ...
> > QUIT
> > ->Only the last try gets logged.
> >
> > Question:
> > Is there any way to close the connection after the
> > first wrong user/pass combination. So an attacker would be forced
> > to reopen it?
> >
> > Any other Ideas?
> > Henry
> Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any
> chance?
No, dovecot-1.0.7-2.el5 is running here.
On the next weekend the update to 5.3 is in the queue for this machine.
Henry
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list