Re: Dovecot under brute force attack - nice attacker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



on 6-2-2009 5:51 AM henry ritzlmayr spake the following:
> Hi List, 
> 
> optimizing the configuration on one of our servers (which was
> hit by a brute force attack on dovecot) showed an odd behavior. 
> 
> The short story:
> On one of our servers an attacker did a brute force 
> attack on dovecot (pop3). 
> Since the attacker closed and reopened the connection 
> after every user/password combination the logs showed 
> many lines like this:
> dovecot: pop3-login: Aborted login: user=<test>,......
> 
> The problem:
> If the attacker wouldn't have closed and reopened the connection
> no log would have been generated and he/she would have endless 
> tries. Not even an iptables/hashlimit or fail2ban would have kicked in.
> 
> How to reproduce:
> telnet dovecot-server pop3
> user test
> pass test1
> user test
> pass test2
> ...
> QUIT
> ->Only the last try gets logged.
> 
> Question: 
> Is there any way to close the connection after the 
> first wrong user/pass combination. So an attacker would be forced 
> to reopen it?
> 
> Any other Ideas?
> Henry
Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any
chance?


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux