on 11-21-2008 11:53 AM Scott Silva spake the following:
on 11-20-2008 5:31 PM Kai Schaetzl spake the following:
Scott Silva wrote on Thu, 20 Nov 2008 16:03:04 -0800:
CentOS 4 comes with a very OLD version of dovecot. If you are using dovecot, you can get a much newer version at atrpms.net. The upgrade might be all you need to fix it.
The dovecot in CentOS 5 exhibits the same problem when hammered by dictionary attacks. Is the atrpms version newer?
Kai
You can get 1.0.15 which is the recent stable for the 1.0 series, and you can get 1.1.16 which has many new improvements over 1.0, and is the current stable branch. I think the 1.1 branch has some changes to the auth code that might help. Read the dovecot wiki for the steps you need to follow to upgrade, especially if you want to go back.
I really recommend you at least go to the 1.0 branch instead of the 0.99 beta in CentOS 4. The indexing improvements alone are worth it.
Another option is something like fail2ban, and have it drop the connections and add a firewall rule when you get too many bad attempts on that port. Fail2ban can read the logs and act for you before it gets too bad.