Am Dienstag, den 02.06.2009, 14:13 -0700 schrieb Scott Silva: > on 6-2-2009 5:51 AM henry ritzlmayr spake the following: > > Hi List, > > > > optimizing the configuration on one of our servers (which was > > hit by a brute force attack on dovecot) showed an odd behavior. > > > > The short story: > > On one of our servers an attacker did a brute force > > attack on dovecot (pop3). > > Since the attacker closed and reopened the connection > > after every user/password combination the logs showed > > many lines like this: > > dovecot: pop3-login: Aborted login: user=<test>,...... > > > > The problem: > > If the attacker wouldn't have closed and reopened the connection > > no log would have been generated and he/she would have endless > > tries. Not even an iptables/hashlimit or fail2ban would have kicked in. > > > > How to reproduce: > > telnet dovecot-server pop3 > > user test > > pass test1 > > user test > > pass test2 > > ... > > QUIT > > ->Only the last try gets logged. > > > > Question: > > Is there any way to close the connection after the > > first wrong user/pass combination. So an attacker would be forced > > to reopen it? > > > > Any other Ideas? > > Henry > Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any > chance? No, dovecot-1.0.7-2.el5 is running here. On the next weekend the update to 5.3 is in the queue for this machine. Henry > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos