Am Donnerstag, den 04.06.2009, 09:51 -0700 schrieb Mark Sapiro: > On Thu, Jun 04, 2009 at 12:16:00PM +0200, henry ritzlmayr wrote: > > > > The problem: > > If the attacker wouldn't have closed and reopened the connection > > no log would have been generated and he/she would have endless > > tries. Not even an iptables/hashlimit or fail2ban would have kicked in. > > > > How to reproduce: > > telnet dovecot-server pop3 > > user test > > pass test1 > > user test > > pass test2 > > ... > > QUIT > > ->Only the last try gets logged. > > > I see the same thing with Dovecot 1.2.rc4 on CentOS 5, but pam logs every > failed attempt: > > Jun 4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user > unknown > Jun 4 09:37:40 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication > failure; logname= uid=0 euid=0 tty=dovecot ruser=zzz rhost=127.0.0.1 > Jun 4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): check pass; user > unknown > Jun 4 09:38:05 sbh16 dovecot-auth: pam_unix(dovecot:auth): authentication > failure; logname= uid=0 euid=0 tty=dovecot ruser=mmm rhost=127.0.0.1 > > So, fail2ban will block based on the pam log. > Good to know. We have ldap here, but it certainly would be possible to do the authentication through pam->ldap.
thanks Henry
