on 6-4-2009 3:48 AM Noel Butler spake the following: > On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote: > >> Hi List, >> >> optimizing the configuration on one of our servers (which was >> hit by a brute force attack on dovecot) showed an odd behavior. >> >> Dovecot Version 1.0.7 (CentOS 5.2) >> >> The short story: >> On one of our servers an attacker did a brute force >> attack on dovecot (pop3). >> Since the attacker closed and reopened the connection >> after every user/password combination the logs showed >> many lines like this: >> dovecot: pop3-login: Aborted login: user=<test>,...... >> >> The problem: >> If the attacker wouldn't have closed and reopened the connection >> no log would have been generated and he/she would have endless >> tries. Not even an iptables/hashlimit or fail2ban would have kicked in. >> >> How to reproduce: >> telnet dovecot-server pop3 >> user test >> pass test1 >> user test >> pass test2 >> ... >> QUIT >> ->Only the last try gets logged. >> > > > > Verified with 1.1.6 as well, nice catch Henry. > > 1.1.15 gives me one log entry, but lists the number of failed login attemps;
Jun 4 10:16:56 mail dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<username>, method=PLAIN, rip=192.168.1.19, lip=192.168.0.1 Jun 4 10:18:10 mail dovecot: pop3-login: Aborted login (auth failed, 2 attempts): user=<username>, method=PLAIN, rip=192.168.1.19, lip=192.168.0.1
signature.asc
Description: OpenPGP digital signature
