Hi,
I was just looking for some advice on avoiding getting DoS'd from brute
force log in attempts. We came in this morning to find that one of our
Solaris 9 dovecot severs had wedged overnight due to a brute force
connection attempt to pop3 from Brasil. In the span of about 15 seconds
we received 342 connection auth attempts from the same IP:
Sep 3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] auth(default): new
auth connection: pid=16862
Sep 3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] auth(default): new
auth connection: pid=16863
Sep 3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] pop3-login: Login
failed: Plaintext authentication disabled: rip=189.99.178.15, lip=xxxxx
Sep 3 00:10:51 xxxxx dovecot: [ID 583609 mail.info] pop3-login: Aborted
login (tried to use disabled plaintext auth): rip=189.99.178.15, lip=xxxxx
Dovecot finally wedged silently and without complaint, becoming
completely unresponsive. I had to kill -9 it this morning in order to
restart the service. Once possibility I considered was that the dovecot
user process limit was reached, but this is set to 1024, and I didn't
see any errors or warnings anywhere in the logs.
login_max_processes_count = 256
max_mail_processes = 1024
With the above I would think it would have been able to handle it
gracefully, but apparently it did not. ulimit -n 2048 is also set on
dovecot startup for the fd limit.
Any suggestions on what I could tweak to prevent this from happening in
the future?
dovecot -n output:
Note I upgraded to 1.2.4 this morning while it was already down. We were
running either 1.2.0 or 1.2.1 last night, sorry didn't think to check
first. ;)
bash-2.05# ulimit -n 2048; dovecot -n
# 1.2.4: /usr/local/etc/dovecot.conf
# OS: SunOS 5.9 sun4u
protocols: imap imaps pop3 pop3s
ssl_cert_file: /usr/local/ssl/certs/nbcs.key+crt.pem
ssl_key_file: /usr/local/ssl/certs/nbcs.key+crt.pem
login_dir: /usr/local/var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
login_max_processes_count: 256
max_mail_processes: 1024
mail_location:
maildir:~/Maildir:INDEX=/toolbox/nqu%h/dovecot:CONTROL=/toolbox/nqu%h/dovecot
mmap_disable: yes
mail_nfs_storage: yes
mail_nfs_index: yes
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_plugins(default): quota imap_quota fts fts_squat
mail_plugins(imap): quota imap_quota fts fts_squat
mail_plugins(pop3): quota
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
pop3_uidl_format(default): %08Xu%08Xv
pop3_uidl_format(imap): %08Xu%08Xv
pop3_uidl_format(pop3): UID%u-%v
namespace:
type: private
separator: .
prefix: INBOX.
inbox: yes
list: yes
subscriptions: yes
lda:
postmaster_address: postmaster at jla.rutgers.edu
auth default:
verbose: yes
debug: yes
passdb:
driver: pam
args: *
userdb:
driver: passwd
plugin:
quota: fs
fts: squat
fts_squat: partial=4 full=4
--
===============================David Halik
System Administrator
OIT-CSS Rutgers University
dhalik at jla.rutgers.edu
================================