[CentOS] Dovecot under brute force attack - nice attacker

Tue Jun 2 12:51:23 UTC 2009
henry ritzlmayr <centos at rc0.at>

Hi List, 

optimizing the configuration on one of our servers (which was
hit by a brute force attack on dovecot) showed an odd behavior. 

The short story:
On one of our servers an attacker did a brute force 
attack on dovecot (pop3). 
Since the attacker closed and reopened the connection 
after every user/password combination the logs showed 
many lines like this:
dovecot: pop3-login: Aborted login: user=<test>,......

The problem:
If the attacker wouldn't have closed and reopened the connection
no log would have been generated and he/she would have endless 
tries. Not even an iptables/hashlimit or fail2ban would have kicked in.

How to reproduce:
telnet dovecot-server pop3
user test
pass test1
user test
pass test2
...
QUIT
->Only the last try gets logged.

Question: 
Is there any way to close the connection after the 
first wrong user/pass combination. So an attacker would be forced 
to reopen it?

Any other Ideas?
Henry