On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote: > Hi List, > > optimizing the configuration on one of our servers (which was > hit by a brute force attack on dovecot) showed an odd behavior. > > Dovecot Version 1.0.7 (CentOS 5.2) > > The short story: > On one of our servers an attacker did a brute force > attack on dovecot (pop3). > Since the attacker closed and reopened the connection > after every user/password combination the logs showed > many lines like this: > dovecot: pop3-login: Aborted login: user=<test>,...... > > The problem: > If the attacker wouldn't have closed and reopened the connection > no log would have been generated and he/she would have endless > tries. Not even an iptables/hashlimit or fail2ban would have kicked in. > > How to reproduce: > telnet dovecot-server pop3 > user test > pass test1 > user test > pass test2 > ... > QUIT > ->Only the last try gets logged. >
Verified with 1.1.6 as well, nice catch Henry.
