Navigation

DrZaius · #1 29th March 2007, 02:21

I have seen thousands of dictionary or brute force attempts on ipop3d over the last couple of days from the same ip address. Example from /var/log/messages:

Mar 28 04:34:36 ipop3d[19269]: Login failed user=jess auth=jess host=[209.2.xxx.xxx]

There are at least five of these entries per second and sometimes the large number of attempts makes the daemon restart. On the chance that an existing user is attacked a message sometimes looks like this:
Mar 28 04:32:33 ipop3d[18739]: Autologout user=example host=[209.2.xx.xx]

What is going on here? Why are they attempting to gain access to ipop3d since, as I understand it, this daemon just collects the mail and spammers would be more interested in sending mail from this server?

Also, is there anything that can be done to prevent entry since they could eventually brute force a client's weak password?

falko · #2 29th March 2007, 14:46

You can block that IP address like this: http://www.howtoforge.com/forums/sho...42&postcount=4

DrZaius · #3 29th March 2007, 19:33

That would be a temporary solution, but today a different IP is attacking and I want to avoid reading the log several times a day. Looks like a botnet is attracted to this server. This seems more effective but I don't know how to apply it to ipop3d:

http://www.howtoforge.com/preventing...s#comment-1411

falko · #4 30th March 2007, 15:35

I haven't tried yet, but I think that maybe fail2ban ( http://fail2ban.sourceforge.net/ ) can observe login attempts for POP3.

Navigation

Facebook

News

Recent comments

Newsletter