On May 19, 2012, at 2:35 PM, Camaleón wrote: > Is your Dovecot publicly accesible?
Yes. > I also get login tries in my Cyrus > coming from the outside, they're usually from automated bots running on > zombi windows machines... if that's the case, you can apply counter-measures > to cut these kind of attacks, for instance, by installing fail2ban Done, and it's denying Postfix and auth incidents of interest. > (also, some routers allow to define rules to block/filter by specific syn/ack > traffic). My border router is a Cisco with significant acls. But they seem to be all about ICMP/UDP/TCP, IP, and port. I'll look into more specific restrictions. From one of the access lists: > 30 permit udp any host 209.97.231.219 eq ntp (27611222 matches) (access to the NTP server, in case you don't speak IOS) > But being your "rhost" empty... it does not sound good :-( My sentiment exactly :-) > You can also take a look at the mailog to check pop3/imap logins, but I don't > know where Dovecot sends these... "/var/log/mail.log"? Yes, that's where they go. I just looked, and if I 'egrep -v' my real users and the net monitor, there's nothing of any interest. > Yes, that's suspicious. You can also run rkhunter to scan your system. rkhunter. Thanks. I'll see what I can find. -- Glenn English hand-wrapped from my Apple Mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/a8a61686-0fce-4ac9-8629-04a8ffb10...@slsware.com
