on 6-2-2009 5:51 AM henry ritzlmayr spake the following: > Hi List, > > optimizing the configuration on one of our servers (which was > hit by a brute force attack on dovecot) showed an odd behavior. > > The short story: > On one of our servers an attacker did a brute force > attack on dovecot (pop3). > Since the attacker closed and reopened the connection > after every user/password combination the logs showed > many lines like this: > dovecot: pop3-login: Aborted login: user=<test>,...... > > The problem: > If the attacker wouldn't have closed and reopened the connection > no log would have been generated and he/she would have endless > tries. Not even an iptables/hashlimit or fail2ban would have kicked in. > > How to reproduce: > telnet dovecot-server pop3 > user test > pass test1 > user test > pass test2 > ... > QUIT > ->Only the last try gets logged. > > Question: > Is there any way to close the connection after the > first wrong user/pass combination. So an attacker would be forced > to reopen it? > > Any other Ideas? > Henry Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any chance? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20090602/c3bcac75/attachment-0005.sig>