Am Donnerstag, den 04.06.2009, 14:53 +0200 schrieb Cédric Laruelle: > Reproduced on 1.1.14 too and really problematic for me
Curious question: Why is it so problematic for you? As stated in my original post you only have to set auth_verbose to yes to get it logged. With that you can always block the attacker with a little script (fail2ban,..). Henry > -----Message d'origine----- > De : dovecot-bounces+laruellec=aiderdonner....@dovecot.org > [mailto:dovecot-bounces+laruellec=aiderdonner....@dovecot.org] De la part de > Noel Butler > Envoyé : jeudi 4 juin 2009 12:48 > À : henry ritzlmayr > Cc : dovecot@dovecot.org > Objet : Re: [Dovecot] Dovecot under brute force attack - nice attacker > > On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote: > > > Hi List, > > > > optimizing the configuration on one of our servers (which was > > hit by a brute force attack on dovecot) showed an odd behavior. > > > > Dovecot Version 1.0.7 (CentOS 5.2) > > > > The short story: > > On one of our servers an attacker did a brute force > > attack on dovecot (pop3). > > Since the attacker closed and reopened the connection > > after every user/password combination the logs showed > > many lines like this: > > dovecot: pop3-login: Aborted login: user=<test>,...... > > > > The problem: > > If the attacker wouldn't have closed and reopened the connection > > no log would have been generated and he/she would have endless > > tries. Not even an iptables/hashlimit or fail2ban would have kicked in. > > > > How to reproduce: > > telnet dovecot-server pop3 > > user test > > pass test1 > > user test > > pass test2 > > ... > > QUIT > > ->Only the last try gets logged. > > > > > > Verified with 1.1.6 as well, nice catch Henry. > > >
