henry ritzlmayr
2009-Jun-02 12:51 UTC
[CentOS] Dovecot under brute force attack - nice attacker
Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like this: dovecot: pop3-login: Aborted login: user=<test>,...... The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries. Not even an iptables/hashlimit or fail2ban would have kicked in. How to reproduce: telnet dovecot-server pop3 user test pass test1 user test pass test2 ... QUIT ->Only the last try gets logged. Question: Is there any way to close the connection after the first wrong user/pass combination. So an attacker would be forced to reopen it? Any other Ideas? Henry
Kai Schaetzl
2009-Jun-02 15:31 UTC
[CentOS] Dovecot under brute force attack - nice attacker
Henry ritzlmayr wrote on Tue, 02 Jun 2009 14:51:23 +0200:> ->Only the last try gets logged.can't reproduce this. The following was done in one connection to localhost. Jun 2 17:09:10 d01 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 2 17:09:10 d01 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1 Jun 2 17:09:10 d01 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user bongo Jun 2 17:09:30 d01 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Jun 2 17:09:30 d01 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1 Jun 2 17:09:30 d01 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user bongo2 Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Scott Silva
2009-Jun-02 21:13 UTC
[CentOS] Dovecot under brute force attack - nice attacker
on 6-2-2009 5:51 AM henry ritzlmayr spake the following:> Hi List, > > optimizing the configuration on one of our servers (which was > hit by a brute force attack on dovecot) showed an odd behavior. > > The short story: > On one of our servers an attacker did a brute force > attack on dovecot (pop3). > Since the attacker closed and reopened the connection > after every user/password combination the logs showed > many lines like this: > dovecot: pop3-login: Aborted login: user=<test>,...... > > The problem: > If the attacker wouldn't have closed and reopened the connection > no log would have been generated and he/she would have endless > tries. Not even an iptables/hashlimit or fail2ban would have kicked in. > > How to reproduce: > telnet dovecot-server pop3 > user test > pass test1 > user test > pass test2 > ... > QUIT > ->Only the last try gets logged. > > Question: > Is there any way to close the connection after the > first wrong user/pass combination. So an attacker would be forced > to reopen it? > > Any other Ideas? > HenryAre you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any chance? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20090602/c3bcac75/attachment-0001.sig>
Henry Ritzlmayr
2009-Jun-04 06:25 UTC
[CentOS] Dovecot under brute force attack - nice attacker
Am Dienstag, den 02.06.2009, 14:13 -0700 schrieb Scott Silva:> on 6-2-2009 5:51 AM henry ritzlmayr spake the following: > > Hi List, > > > > optimizing the configuration on one of our servers (which was > > hit by a brute force attack on dovecot) showed an odd behavior. > > > > The short story: > > On one of our servers an attacker did a brute force > > attack on dovecot (pop3). > > Since the attacker closed and reopened the connection > > after every user/password combination the logs showed > > many lines like this: > > dovecot: pop3-login: Aborted login: user=<test>,...... > > > > The problem: > > If the attacker wouldn't have closed and reopened the connection > > no log would have been generated and he/she would have endless > > tries. Not even an iptables/hashlimit or fail2ban would have kicked in. > > > > How to reproduce: > > telnet dovecot-server pop3 > > user test > > pass test1 > > user test > > pass test2 > > ... > > QUIT > > ->Only the last try gets logged. > > > > Question: > > Is there any way to close the connection after the > > first wrong user/pass combination. So an attacker would be forced > > to reopen it? > > > > Any other Ideas? > > Henry > Are you using the hopelessly outdated 0.99 dovecot package in CentOS 4 by any > chance?No, dovecot-1.0.7-2.el5 is running here. On the next weekend the update to 5.3 is in the queue for this machine. Henry> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos