Looks like we are under a dictionary login attack on our POP server: Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<atlanta>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Any suggestions on how to prevent this? Using Dovecot 1.2RC4 Thanks, James.
James Brown wrote:> Jun 5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth > failed, 1 attempts): user=<atlanta>, method=PLAIN, rip=85.189.169.94, > lip=192.168.1.9 > > Any suggestions on how to prevent this? > > Using Dovecot 1.2RC4Route that address to localhost? Works here :) There are various automated tools, like fail2ban, which can help with this -- if you're using a setup they can hook into. -- Curtis Maloney cmaloney at cardgate.net
Am Freitag, den 05.06.2009, 12:04 +1000 schrieb James Brown:> Looks like we are under a dictionary login attack on our POP server: > > Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth > failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94, > lip=192.168.1.9Since the attacker is playing nice you could also limit the maximum connection attempts to the pop3 port in a given timeframe. And if that limit is reached block the ip for a certain amount of time. If you firewall with netfilter, hashlimit is your friend. Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next attempt should grow. When I take a look at your timestamps this is obviously not working on your system. Henry
* James Brown <jlbrown at bordo.com.au>:> Looks like we are under a dictionary login attack on our POP server:...> Any suggestions on how to prevent this?apt-get install fail2ban -- Ralf Hildebrandt Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.computerbeschimpfung.de May's Law: The quality of correlation is inversely proportional to the density of control. (The fewer data points, the smoother the curves.)
On 05/06/2009, at 4:19 PM, James Brown wrote:> > Thanks to Curtis and others who replied. > > I managed to block the IP at our Firewall (learnt a few quirky > things about Astaro Security Gateway on the way!) > > In order to automate the process, Fail2Ban has been suggested. I > know this is getting a bit off topic, but has anyone installed in > Mac OS X 10.5.7? There is a how-to for 10.4 ( HOWTO Mac OS X Server > (10.4) - Fail2ban )- does this work unchanged in 10.5? > > Anyone managed to get Fail2Ban working on Leopard with Dovecot 1.2 > RC4?I'll answer my own question! There is a OS X Installer file at: LSA Mac OS X Ported and Developed Software | LSA Information Technology | University of Michigan Any regex experts out there that can help me set up Fail2Ban to stop this? Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:25 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<austin>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:27 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<audrey>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:28 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:30 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<august>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:31 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=<autumn>, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Many thanks, James.