On Tue, Dec 09, 2008, James Pifer wrote: >I was looking at my maillog and it looks like someone is trying to get >into my pop3 server. > >Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 > >How worried should I bee about this? Any suggestions for dealing with >it? If your users all have good passwords, it isn't much to worry about, but then users having good passwords is not all that common. Once the cracker finds an account with a guessable password, they may well be able to get access to your system as that user via ssh, webmin, usermin, or other means. Given shell access, the cracker can install user-level IRC servers or gain root access via exploits that only work for local users. I have seen cases where crackers were able to change user shells and other information via usermin or webmin by exploiting vulnerabilities in system utilities thus gaining access to the system. Setting all users shells to /bin/false where they don't need to have shell access helps towards securing the systems, although this may not be sufficient (I saw a system where /bin/false had been replaced with /bin/bash). You should also notify abuse at covad.com about these attempts from their network sending them the log entries with the your local time zone so they may be able to figure out which of there users was doing this. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 If you want government to intervene domestically, you're a liberal. If you want government to intervene overseas, you're a conservative. If you want government to intervene everywhere, you're a moderate. If you don't want government to intervene anywhere, you're an extremist -- Joseph Sobran