Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th March 2007, 02:21
DrZaius DrZaius is offline
Junior Member
 
Join Date: Nov 2006
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default Dictionary attacks on ipop3d

I have seen thousands of dictionary or brute force attempts on ipop3d over the last couple of days from the same ip address. Example from /var/log/messages:

Mar 28 04:34:36 ipop3d[19269]: Login failed user=jess auth=jess host=[209.2.xxx.xxx]

There are at least five of these entries per second and sometimes the large number of attempts makes the daemon restart. On the chance that an existing user is attacked a message sometimes looks like this:
Mar 28 04:32:33 ipop3d[18739]: Autologout user=example host=[209.2.xx.xx]

What is going on here? Why are they attempting to gain access to ipop3d since, as I understand it, this daemon just collects the mail and spammers would be more interested in sending mail from this server?

Also, is there anything that can be done to prevent entry since they could eventually brute force a client's weak password?

Last edited by DrZaius; 29th March 2007 at 02:24.
Reply With Quote
Sponsored Links
  #2  
Old 29th March 2007, 14:46
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

You can block that IP address like this: http://www.howtoforge.com/forums/sho...42&postcount=4
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 29th March 2007, 19:33
DrZaius DrZaius is offline
Junior Member
 
Join Date: Nov 2006
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default

That would be a temporary solution, but today a different IP is attacking and I want to avoid reading the log several times a day. Looks like a botnet is attracted to this server. This seems more effective but I don't know how to apply it to ipop3d:

http://www.howtoforge.com/preventing...s#comment-1411
Reply With Quote
  #4  
Old 30th March 2007, 15:35
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
 
Default

I haven't tried yet, but I think that maybe fail2ban ( http://fail2ban.sourceforge.net/ ) can observe login attempts for POP3.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
postfix error: unsupported dictionary type: localhost.http: mystix Installation/Configuration 3 9th December 2006 14:23


All times are GMT +2. The time now is 04:20.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.