Bill Campbell wrote: > On Tue, Dec 09, 2008, James Pifer wrote: >> I was looking at my maillog and it looks like someone is trying to get >> into my pop3 server. >> >> Dec 9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >> Dec 9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >> Dec 9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >> Dec 9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >> Dec 9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2 >> >> How worried should I bee about this? Any suggestions for dealing with >> it? > > If your users all have good passwords, it isn't much to worry about, but > then users having good passwords is not all that common. > > Once the cracker finds an account with a guessable password, they may well > be able to get access to your system as that user via ssh, webmin, usermin, > or other means. Given shell access, the cracker can install user-level IRC > servers or gain root access via exploits that only work for local users. I > have seen cases where crackers were able to change user shells and other > information via usermin or webmin by exploiting vulnerabilities in system > utilities thus gaining access to the system. > I saw a similar thing attacking smtp-auth (SASL) recently. The moral being that any service that authenticates with a username/password is open to brute forcing attacks - it's not just ssh we need worry about.