[CentOS] Dovecot under brute force attack - nice attacker
henry ritzlmayr
centos at rc0.atTue Jun 2 12:51:23 UTC 2009
- Previous message: [CentOS] NetworkManager, Vpnc and Centos 5.3 Problem.
- Next message: [CentOS] Dovecot under brute force attack - nice attacker
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted login: user=<test>,...... The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries. Not even an iptables/hashlimit or fail2ban would have kicked in. How to reproduce: telnet dovecot-server pop3 user test pass test1 user test pass test2 ... QUIT ->Only the last try gets logged. Question: Is there any way to close the connection after the first wrong user/pass combination. So an attacker would be forced to reopen it? Any other Ideas? Henry
- Previous message: [CentOS] NetworkManager, Vpnc and Centos 5.3 Problem.
- Next message: [CentOS] Dovecot under brute force attack - nice attacker
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list