Am Dienstag, den 02.06.2009, 14:13 -0700 schrieb Scott Silva:
on 6-2-2009 5:51 AM henry ritzlmayr spake the following:
Hi List,
optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior.
The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted login: user=<test>,......
The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
How to reproduce: telnet dovecot-server pop3 user test pass test1 user test pass test2 ... QUIT ->Only the last try gets logged.
Question: Is there any way to close the connection after the first wrong user/pass combination. So an attacker would be forced to reopen it?
Any other Ideas? Henry
Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any chance?
No, dovecot-1.0.7-2.el5 is running here. On the next weekend the update to 5.3 is in the queue for this machine.
Henry
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos