[Dovecot] Under POP attack - now to prevent?
Looks like we are under a dictionary login attack on our POP server:
Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Jun 5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=<atlanta>, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Any suggestions on how to prevent this?
Using Dovecot 1.2RC4
Thanks,
James.
Am Freitag, den 05.06.2009, 12:04 +1000 schrieb James Brown:
Since the attacker is playing nice you could also limit the maximum connection attempts to the pop3 port in a given timeframe. And if that limit is reached block the ip for a certain amount of time. If you firewall with netfilter, hashlimit is your friend.
Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next attempt should grow. When I take a look at your timestamps this is obviously not working on your system.
Henry
Am Freitag, den 05.06.2009, 02:26 -0400 schrieb Timo Sirainen:
Ok, if thats so please really consider the possibility to disconnect a user if he/she provides the wrong credentials. Otherwise we would have to deal with two kinds of attackers on two places. The ones which don't disconnect themselves would have to be handled by dovecot (growing delay) and the ones which disconnect would have to be handled by firewall/fail2ban etc. I personally prefer (I'm sure you figured that already) a centralized approach on the firewall.
Have a nice trip to frisco Henry
- James Brown <jlbrown@bordo.com.au>:
Looks like we are under a dictionary login attack on our POP server: ...
Any suggestions on how to prevent this?
apt-get install fail2ban
-- Ralf Hildebrandt Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.computerbeschimpfung.de May's Law: The quality of correlation is inversely proportional to the density of control. (The fewer data points, the smoother the curves.)
participants (5)
-
Curtis Maloney
-
henry ritzlmayr
-
James Brown
-
Ralf Hildebrandt
-
Timo Sirainen