Hi List,
optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior.
The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted login: user=<test>,......
The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
How to reproduce: telnet dovecot-server pop3 user test pass test1 user test pass test2 ... QUIT ->Only the last try gets logged.
Question: Is there any way to close the connection after the first wrong user/pass combination. So an attacker would be forced to reopen it?
Any other Ideas? Henry
Henry ritzlmayr wrote on Tue, 02 Jun 2009 14:51:23 +0200:
->Only the last try gets logged.
can't reproduce this. The following was done in one connection to localhost.
Jun 2 17:09:10 d01 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 2 17:09:10 d01 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1 Jun 2 17:09:10 d01 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user bongo
Jun 2 17:09:30 d01 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 2 17:09:30 d01 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1 Jun 2 17:09:30 d01 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user bongo2
Kai
Am Dienstag, den 02.06.2009, 17:31 +0200 schrieb Kai Schaetzl:
Henry ritzlmayr wrote on Tue, 02 Jun 2009 14:51:23 +0200:
->Only the last try gets logged.
can't reproduce this. The following was done in one connection to localhost.
Jun 2 17:09:10 d01 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 2 17:09:10 d01 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1 Jun 2 17:09:10 d01 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user bongo
Jun 2 17:09:30 d01 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 2 17:09:30 d01 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1 Jun 2 17:09:30 d01 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user bongo2
Kai
Hi Kai,
the logs you are referring to are only produced if you enable
auth_verbose = yes
right?
Which (when I read the docs correctly) should only be used for figuring out why authentication isn't working.
If you disable auth_verbose those logs should be gone, and only the last try gets logged as I stated.
Henry
Henry Ritzlmayr wrote on Thu, 04 Jun 2009 08:21:04 +0200:
the logs you are referring to are only produced if you enable
auth_verbose = yes
right?
That's possible, I didn't check. In that case and if I recall right I added that directive because I was missing the IP numbers in some log lines.
Which (when I read the docs correctly) should only be used for figuring out why authentication isn't working.
And that's maybe why they log only the last occurence. Nice hole :-)
If you disable auth_verbose those logs should be gone, and only the last try gets logged as I stated.
I won't test that, but I can believe that. I suggest you take this issue over to the dovecot mailing list, it's not CentOS-specific.
Kai
Am Donnerstag, den 04.06.2009, 10:31 +0200 schrieb Kai Schaetzl:
Henry Ritzlmayr wrote on Thu, 04 Jun 2009 08:21:04 +0200:
the logs you are referring to are only produced if you enable
auth_verbose = yes
right?
That's possible, I didn't check. In that case and if I recall right I added that directive because I was missing the IP numbers in some log lines.
Which (when I read the docs correctly) should only be used for figuring out why authentication isn't working.
And that's maybe why they log only the last occurence. Nice hole :-)
If you disable auth_verbose those logs should be gone, and only the last try gets logged as I stated.
I won't test that, but I can believe that. I suggest you take this issue over to the dovecot mailing list, it's not CentOS-specific.
Kai
It's on the dovecot mailing list now.
thanks Henry
on 6-2-2009 5:51 AM henry ritzlmayr spake the following:
Hi List,
optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior.
The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted login: user=<test>,......
The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
How to reproduce: telnet dovecot-server pop3 user test pass test1 user test pass test2 ... QUIT ->Only the last try gets logged.
Question: Is there any way to close the connection after the first wrong user/pass combination. So an attacker would be forced to reopen it?
Any other Ideas? Henry
Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any chance?
Am Dienstag, den 02.06.2009, 14:13 -0700 schrieb Scott Silva:
on 6-2-2009 5:51 AM henry ritzlmayr spake the following:
Hi List,
optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior.
The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted login: user=<test>,......
The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
How to reproduce: telnet dovecot-server pop3 user test pass test1 user test pass test2 ... QUIT ->Only the last try gets logged.
Question: Is there any way to close the connection after the first wrong user/pass combination. So an attacker would be forced to reopen it?
Any other Ideas? Henry
Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any chance?
No, dovecot-1.0.7-2.el5 is running here. On the next weekend the update to 5.3 is in the queue for this machine.
Henry
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
henry ritzlmayr -
Henry Ritzlmayr -
Kai Schaetzl -
Scott Silva