On Thu, Jun 04, 2009 at 12:16:00PM +0200, henry ritzlmayr wrote: > > The problem: > If the attacker wouldn't have closed and reopened the connection > no log would have been generated and he/she would have endless > tries. Not even an iptables/hashlimit or fail2ban would have kicked in. > > How to reproduce: > telnet dovecot-server pop3 > user test > pass test1 > user test > pass test2 > ... > QUIT > ->Only the last try gets logged.
I see the same thing with Dovecot 1.2.rc4 on CentOS 5, but pam logs every failed attempt: Jun 4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=zzz rhost=127.0.0.1 Jun 4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=mmm rhost=127.0.0.1 So, fail2ban will block based on the pam log. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
