[CentOS] Dovecot under brute force attack - nice attacker

Thu Jun 4 06:25:19 UTC 2009
Henry Ritzlmayr <fedora-list at rc0.at>

Am Dienstag, den 02.06.2009, 14:13 -0700 schrieb Scott Silva:
> on 6-2-2009 5:51 AM henry ritzlmayr spake the following:
> > Hi List, 
> > 
> > optimizing the configuration on one of our servers (which was
> > hit by a brute force attack on dovecot) showed an odd behavior. 
> > 
> > The short story:
> > On one of our servers an attacker did a brute force 
> > attack on dovecot (pop3). 
> > Since the attacker closed and reopened the connection 
> > after every user/password combination the logs showed 
> > many lines like this:
> > dovecot: pop3-login: Aborted login: user=<test>,......
> > 
> > The problem:
> > If the attacker wouldn't have closed and reopened the connection
> > no log would have been generated and he/she would have endless 
> > tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
> > 
> > How to reproduce:
> > telnet dovecot-server pop3
> > user test
> > pass test1
> > user test
> > pass test2
> > ...
> > QUIT
> > ->Only the last try gets logged.
> > 
> > Question: 
> > Is there any way to close the connection after the 
> > first wrong user/pass combination. So an attacker would be forced 
> > to reopen it?
> > 
> > Any other Ideas?
> > Henry
> Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any
> chance?

No, dovecot-1.0.7-2.el5 is running here.
On the next weekend the update to 5.3 is in the queue for this machine. 

Henry

> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos