On 2011-09-19 1:05 PM, Rick Baartman <[email protected]> wrote:
From my secure log:
Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user
unknown
Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48
Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error
retrieving information about user aaron
Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user
unknown
Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48
Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error
retrieving information about user abby
etc. Literally, 30,000 user names attempted.
Dictionaryt attacks are quite common, nothing new here...
fail2ban is what I use, would have killed this one (since it's from the
same IP) almost immediately...
It doesn't work so well with sophisticated bots that can change IPs at
will, but the secondary method of locking out an account after X number
of failed auth attempts will eliminate the risk of a focused attack on a
single account, so as long as you are using strong passwords, your
system is secure (from these kinds of attacks, at least).
The only attack I haven't figured out how to eliminate is the
social/phishing attack, where $DumbUser gives out their username
password voluntarily... although I have been considering faking a
phishing attack on my own users, and flagging the ones who fall for it
for training.
--
Best regards,
Charles
