[CentOS] Dovecot under brute force attack - nice attacker
Scott Silva
ssilva at sgvwater.com
Tue Jun 2 21:13:06 UTC 2009
on 6-2-2009 5:51 AM henry ritzlmayr spake the following:
> Hi List,
>
> optimizing the configuration on one of our servers (which was
> hit by a brute force attack on dovecot) showed an odd behavior.
>
> The short story:
> On one of our servers an attacker did a brute force
> attack on dovecot (pop3).
> Since the attacker closed and reopened the connection
> after every user/password combination the logs showed
> many lines like this:
> dovecot: pop3-login: Aborted login: user=<test>,......
>
> The problem:
> If the attacker wouldn't have closed and reopened the connection
> no log would have been generated and he/she would have endless
> tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
>
> How to reproduce:
> telnet dovecot-server pop3
> user test
> pass test1
> user test
> pass test2
> ...
> QUIT
> ->Only the last try gets logged.
>
> Question:
> Is there any way to close the connection after the
> first wrong user/pass combination. So an attacker would be forced
> to reopen it?
>
> Any other Ideas?
> Henry
Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any
chance?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20090602/c3bcac75/attachment.sig>
More information about the CentOS
mailing list