Dovecot under brute force attack - nice attacker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hi List, 

optimizing the configuration on one of our servers (which was
hit by a brute force attack on dovecot) showed an odd behavior. 

The short story:
On one of our servers an attacker did a brute force 
attack on dovecot (pop3). 
Since the attacker closed and reopened the connection 
after every user/password combination the logs showed 
many lines like this:
dovecot: pop3-login: Aborted login: user=<test>,......

The problem:
If the attacker wouldn't have closed and reopened the connection
no log would have been generated and he/she would have endless 
tries. Not even an iptables/hashlimit or fail2ban would have kicked in.

How to reproduce:
telnet dovecot-server pop3
user test
pass test1
user test
pass test2
...
QUIT
->Only the last try gets logged.

Question: 
Is there any way to close the connection after the 
first wrong user/pass combination. So an attacker would be forced 
to reopen it?

Any other Ideas?
Henry

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux