Am Freitag, den 05.06.2009, 12:04 +1000 schrieb James Brown: > Looks like we are under a dictionary login attack on our POP server: > > Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth > failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94, > lip=192.168.1.9
Since the attacker is playing nice you could also limit the maximum connection attempts to the pop3 port in a given timeframe. And if that limit is reached block the ip for a certain amount of time. If you firewall with netfilter, hashlimit is your friend. Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next attempt should grow. When I take a look at your timestamps this is obviously not working on your system. Henry
