Discussion:
[Dovecot] Lots of pop3-logins
Rodman Frowert
2009-06-25 14:07:23 UTC
Permalink
Hello,

Doing a "ps aux" on my Slackware box, I have approx 100 PID's of "pop3-login's going on. This is a production mail server, but it is getting VERY low traffic. In fact, only 3 people can "pop3" into it. I've check their e-mail clients, and they are not checking mail any more often than every 5 minutes.

This is a new installation and I've had the server up and running since Sunday. If it matters, I'm using Postfix for the MTA and using the Dovecot SASL library to AUTH SMTP.

Is this a cause for concern? Why does Dovecot need this many processes?

Thanks!

Rodman
Jose Celestino
2009-06-25 14:34:56 UTC
Permalink
Post by Rodman Frowert
Hello,
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of "pop3-login's going on. This is a production mail server, but it is getting VERY low traffic. In fact, only 3 people can "pop3" into it. I've check their e-mail clients, and they are not checking mail any more often than every 5 minutes.
This is a new installation and I've had the server up and running since Sunday. If it matters, I'm using Postfix for the MTA and using the Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Because dovecot preforks the *-login processes to speed-up the login.

No need to worry.


-- Jose Celestino SAPO.pt::Systems http://www.sapo.pt
--------------------------------------------------------------------- *
Progress (n.): The process through which Usenet has evolved from smart
people in front of dumb terminals to dumb people in front of smart
terminals.
Rodman Frowert
2009-06-25 15:29:37 UTC
Permalink
Jose,

Thank you for your reply. Makes me feel better everything is working
properly and resources aren't being wasted. Thank you!

Rodman

----- Original Message -----
From: "Jose Celestino" <japc at co.sapo.pt>
To: "Rodman Frowert" <rodman at thefrowerts.com>
Cc: <dovecot at dovecot.org>
Sent: Thursday, June 25, 2009 9:34 AM
Subject: Re: [Dovecot] Lots of pop3-logins
Post by Jose Celestino
Post by Rodman Frowert
Hello,
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of
"pop3-login's going on. This is a production mail server, but it is
getting VERY low traffic. In fact, only 3 people can "pop3" into it.
I've check their e-mail clients, and they are not checking mail any more
often than every 5 minutes.
This is a new installation and I've had the server up and running since
Sunday. If it matters, I'm using Postfix for the MTA and using the
Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
-- Jose Celestino SAPO.pt::Systems http://www.sapo.pt
--------------------------------------------------------------------- *
Progress (n.): The process through which Usenet has evolved from smart
people in front of dumb terminals to dumb people in front of smart
terminals.
Dave McGuire
2009-06-25 16:59:24 UTC
Permalink
Post by Rodman Frowert
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of
"pop3-login's going on. This is a production mail server, but it
is getting VERY low traffic. In fact, only 3 people can "pop3"
into it. I've check their e-mail clients, and they are not
checking mail any more often than every 5 minutes.
This is a new installation and I've had the server up and running
since Sunday. If it matters, I'm using Postfix for the MTA and
using the Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many
processes?
Take a look at your log file. Is there a dictionary attack taking
place? I get this all the time. I want to find these little cracker
kiddies and break their fingers.

-Dave
--
Dave McGuire
Port Charlotte, FL
V S Rao
2009-06-25 17:01:06 UTC
Permalink
Post by Rodman Frowert
Hello,
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of "pop3-login's going on. This is a production mail server, but it is getting VERY low traffic. In fact, only 3 people can "pop3" into it. I've check their e-mail clients, and they are not checking mail any more often than every 5 minutes.
This is a new installation and I've had the server up and running since Sunday. If it matters, I'm using Postfix for the MTA and using the Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Post by Jose Celestino
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
100 login sessions for just 3 connections? That is not right, no matter what. There is definitely some issue. Once the load increases the system will start timing out on POP3 connections or other network connections, such as IMAP, SSH etc. Better check out the system logs, utilization etc. for any abnormal values.

Regards
Rao
Jose Celestino
2009-06-25 17:14:26 UTC
Permalink
Post by V S Rao
Post by Rodman Frowert
Hello,
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of "pop3-login's going on. This is a production mail server, but it is getting VERY low traffic. In fact, only 3 people can "pop3" into it. I've check their e-mail clients, and they are not checking mail any more often than every 5 minutes.
This is a new installation and I've had the server up and running since Sunday. If it matters, I'm using Postfix for the MTA and using the Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Post by Jose Celestino
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
100 login sessions for just 3 connections? That is not right, no matter what.
No, login_processes_count matters.


-- Jose Celestino SAPO.pt::Systems http://www.sapo.pt
--------------------------------------------------------------------- *
Progress (n.): The process through which Usenet has evolved from smart
people in front of dumb terminals to dumb people in front of smart
terminals.
V S Rao
2009-06-25 18:15:30 UTC
Permalink
Post by V S Rao
Post by Rodman Frowert
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of "pop3-login's going on. This is a production mail server, but it is getting VERY low traffic. In fact, only 3 people can "pop3" into it. I've check their e-mail clients, and they are not checking mail any more often than every 5 minutes.
This is a new installation and I've had the server up and running since Sunday. If it matters, I'm using Postfix for the MTA and using the Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Post by Jose Celestino
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
100 login sessions for just 3 connections? That is not right, no matter what.
Post by Rodman Frowert
No, login_processes_count matters.
How? If my understanding is correct, you have extra 3 login processes created to cater to new connections. So with only 3 POP3 users, why should so many login processes be spawned? I can understand 10-15. But 100 definitely indicates either the processes are not dying or something else happening on the system which is causing such high number of login processes. The system definitely needs to be checked for some kind of attack, a rogue process running on the system or something else.

Regards
--Rao
Rodman Frowert
2009-06-25 19:33:16 UTC
Permalink
Well, after going through my log files, I was hit with a dictionary based
attack. My maillog is full of about 20,000 lines of crap like this:

Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<warren>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<williams>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<www>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<wilson>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<willy>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<valerie>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2

Starts with "A" and runs all the way to "Z". The IP traces back to cable
modem subscriber on Cox Communications out of Arizona. I'll shoot them off
my "standard" attack e-mail.

In the meantime, I need to modify fail2ban so that it checks the maillog for
failed pop3 auth logins and bans IP's so this won't happen again.

Rodman

----- Original Message -----
From: "V S Rao" <viriyala at yahoo.com>
To: <dovecot at dovecot.org>
Sent: Thursday, June 25, 2009 1:15 PM
Subject: Re: [Dovecot] Lots of pop3-logins
Post by V S Rao
Post by V S Rao
Post by Rodman Frowert
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of
"pop3-login's going on. This is a production mail server, but it is
getting VERY low traffic. In fact, only 3 people can "pop3" into it.
I've check their e-mail clients, and they are not checking mail any
more often than every 5 minutes.
This is a new installation and I've had the server up and running since
Sunday. If it matters, I'm using Postfix for the MTA and using the
Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Post by Jose Celestino
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
100 login sessions for just 3 connections? That is not right, no matter what.
Post by Rodman Frowert
No, login_processes_count matters.
How? If my understanding is correct, you have extra 3 login processes
created to cater to new connections. So with only 3 POP3 users, why should
so many login processes be spawned? I can understand 10-15. But 100
definitely indicates either the processes are not dying or something else
happening on the system which is causing such high number of login
processes. The system definitely needs to be checked for some kind of
attack, a rogue process running on the system or something else.
Regards
--Rao
Timo Sirainen
2009-06-25 19:46:04 UTC
Permalink
You can also just decrease login_process_max_count. If Dovecot reaches
the limit, it'll just start killing off old connections that haven't
logged in.

And yeah, some day I should also make Dovecot kill some of the login
processes after many of them have been idling for a while.
Post by Rodman Frowert
Well, after going through my log files, I was hit with a dictionary based
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<warren>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<williams>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<www>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<wilson>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<willy>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<valerie>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Starts with "A" and runs all the way to "Z". The IP traces back to cable
modem subscriber on Cox Communications out of Arizona. I'll shoot them off
my "standard" attack e-mail.
In the meantime, I need to modify fail2ban so that it checks the maillog for
failed pop3 auth logins and bans IP's so this won't happen again.
Rodman
----- Original Message -----
From: "V S Rao" <viriyala at yahoo.com>
To: <dovecot at dovecot.org>
Sent: Thursday, June 25, 2009 1:15 PM
Subject: Re: [Dovecot] Lots of pop3-logins
Post by V S Rao
Post by V S Rao
Post by Rodman Frowert
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of
"pop3-login's going on. This is a production mail server, but it is
getting VERY low traffic. In fact, only 3 people can "pop3" into it.
I've check their e-mail clients, and they are not checking mail any
more often than every 5 minutes.
This is a new installation and I've had the server up and running since
Sunday. If it matters, I'm using Postfix for the MTA and using the
Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Post by Jose Celestino
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
100 login sessions for just 3 connections? That is not right, no matter what.
Post by Rodman Frowert
No, login_processes_count matters.
How? If my understanding is correct, you have extra 3 login processes
created to cater to new connections. So with only 3 POP3 users, why should
so many login processes be spawned? I can understand 10-15. But 100
definitely indicates either the processes are not dying or something else
happening on the system which is causing such high number of login
processes. The system definitely needs to be checked for some kind of
attack, a rogue process running on the system or something else.
Regards
--Rao
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090625/e285b5eb/attachment.bin
Rodman Frowert
2009-06-25 20:43:28 UTC
Permalink
I'll go ahead and lower that limit to something that fits my usage better.

Thanks Timo! You built a hell of a mail server.

Rodman
----- Original Message -----
From: "Timo Sirainen" <tss at iki.fi>
To: "Rodman Frowert" <rodman at thefrowerts.com>
Cc: <dovecot at dovecot.org>
Sent: Thursday, June 25, 2009 2:46 PM
Subject: Re: [Dovecot] Lots of pop3-logins
Dave McGuire
2009-06-25 20:46:01 UTC
Permalink
Post by Timo Sirainen
You can also just decrease login_process_max_count. If Dovecot reaches
the limit, it'll just start killing off old connections that haven't
logged in.
I don't see this option in my dovecot.conf. Was it added after
1.1.6?

-Dave
--
Dave McGuire
Port Charlotte, FL
Noel Butler
2009-06-25 21:48:26 UTC
Permalink
Post by Timo Sirainen
You can also just decrease login_process_max_count. If Dovecot reaches
the limit, it'll just start killing off old connections that haven't
logged in.
What would be nice is, an anti brute force option, like xinetd, X-number
of connections from Y i.p. in Z seconds (optional setting of course) or
maybe a way to extend that to detect if the same i.p is retrying
constantly using different usernames on every new connection within X
seconds, come to think of it, that way would be much cooler :)
Post by Timo Sirainen
Post by Rodman Frowert
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<warren>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<williams>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1
attempts): user=<www>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
Kenneth Porter
2009-06-25 22:23:40 UTC
Permalink
--On Friday, June 26, 2009 8:48 AM +1000 Noel Butler
Post by Noel Butler
What would be nice is, an anti brute force option, like xinetd, X-number
of connections from Y i.p. in Z seconds (optional setting of course) or
maybe a way to extend that to detect if the same i.p is retrying
constantly using different usernames on every new connection within X
seconds, come to think of it, that way would be much cooler :)
Some good discussion about fighting dictionary attacks here:

<http://www.codinghorror.com/blog/archives/001206.html>
Timo Sirainen
2009-06-25 22:31:01 UTC
Permalink
Post by Noel Butler
What would be nice is, an anti brute force option, like xinetd, X-number
of connections from Y i.p. in Z seconds (optional setting of course) or
maybe a way to extend that to detect if the same i.p is retrying
constantly using different usernames on every new connection within X
seconds, come to think of it, that way would be much cooler :)
v2.0 makes it possible in a lot easier way. Maybe I'll get it
implemented there.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090625/b289cdc9/attachment.bin
Noel Butler
2009-06-25 22:58:09 UTC
Permalink
Post by Timo Sirainen
Post by Noel Butler
What would be nice is, an anti brute force option, like xinetd, X-number
of connections from Y i.p. in Z seconds (optional setting of course) or
maybe a way to extend that to detect if the same i.p is retrying
constantly using different usernames on every new connection within X
seconds, come to think of it, that way would be much cooler :)
v2.0 makes it possible in a lot easier way. Maybe I'll get it
implemented there.
That would be awesome :)
Cheers
Jose Celestino
2009-06-25 20:49:45 UTC
Permalink
Post by V S Rao
Post by V S Rao
Post by Rodman Frowert
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of "pop3-login's going on. This is a production mail server, but it is getting VERY low traffic. In fact, only 3 people can "pop3" into it. I've check their e-mail clients, and they are not checking mail any more often than every 5 minutes.
This is a new installation and I've had the server up and running since Sunday. If it matters, I'm using Postfix for the MTA and using the Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Post by Jose Celestino
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
100 login sessions for just 3 connections? That is not right, no matter what.
Post by Rodman Frowert
No, login_processes_count matters.
How? If my understanding is correct, you have extra 3 login processes created to cater to new connections. So with only 3 POP3 users, why should so many login processes be spawned? I can understand 10-15. But 100 definitely indicates either the processes are not dying or something else happening on the system which is causing such high number of login processes. The system definitely needs to be checked for some kind of attack, a rogue process running on the system or something else.
If you don't change the defaults that's right. But the *-login processes
will never be less than login_processes_count so it does matter. And, as
timo pointed out, you can put a upper limit with
login_max_processes_count.

My idle box has 64 imap-login processes and no, I'm not under a
dictionary attack :)

-- Jose Celestino SAPO.pt::Systems http://www.sapo.pt
--------------------------------------------------------------------- *
Progress (n.): The process through which Usenet has evolved from smart
people in front of dumb terminals to dumb people in front of smart
terminals.
V S Rao
2009-06-26 09:01:00 UTC
Permalink
Post by V S Rao
Post by V S Rao
Post by Rodman Frowert
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of "pop3-login's going on. This is a production mail server, but it is getting VERY low traffic. In fact, only 3 people can "pop3" into it. I've check their e-mail clients, and they are not checking mail any more often than every 5 minutes.
This is a new installation and I've had the server up and running since Sunday. If it matters, I'm using Postfix for the MTA and using the Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Post by Jose Celestino
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
100 login sessions for just 3 connections? That is not right, no matter what.
Post by Rodman Frowert
No, login_processes_count matters.
How? If my understanding is correct, you have extra 3 login processes created to cater to new connections. So with only 3 POP3 users, why should so many login processes be spawned? I can understand 10-15. But 100 definitely indicates either the processes are not dying or something else happening on the system which is causing such high number of login processes. The system definitely needs to be checked for some kind of attack, a rogue process running on the system or something else.
Post by V S Rao
My idle box has 64 imap-login processes and no, I'm not under a
dictionary attack :)
I am not sure what your load is (user base, system config etc), but I will give you my typical load here. I run mail server for about 6000 users with a mix of 70% POP3 and 30% IMAP (thro webmail). And here are the typical stats (I run a script in the background collecting this data every 5 secs):

pop3-logins:12
pop3-connections:8
IMAP-logins:7
IMAP-connections:11

I have read other opinions in this thread by Timo & others. And I am interested in a few things. So if you will indulge me, maybe it will be useful for others who face these kind of issues

Timo Wrote: You can also just decrease login_process_max_count

Wouldn't decreasing the login_process_max_count simply create more problems. Now users will start experiencing timeouts sooner than before, because whatever is causing the login processes to increase (attack, rogue process or whatever) will *always* be trying to login and genuine users will be denied login. So without knowing the root cause of the issue simply decreasing or increasing the login_process_max_count will lead to other problems. Correct me if I am wrong.

Rodman Wrote: I'll go ahead and lower that limit to something that fits my usage better.

No, I think leave that value to default and try and identify the root cause and prevent it.

Noel Wrote: What would be nice is, an anti brute force option

Yes, that would be nice. But consider a situation where the system is not under brute force attack, but for some reason the number of login processes keep on increasing by the hour. This would ultimately lead the system to deny connections to the users. Is there a way to track what is happening? strace would be too complicated for us field guys to work with. Any suggestions?

Regards
--Rao
Rodman Frowert
2009-06-26 13:55:07 UTC
Permalink
Well concerning my problem, I adjusted fail2ban so that it can parse the
maillog and ban IP's that have 6 incorrect pop3 logins. I had another
"attack" last night, but fail2ban got him only have 6 attempts and banned
his sorry ass.

If anyone wants to see the fail2ban config file I am using for Dovecot, let
me know...

Rodman

----- Original Message -----
From: "V S Rao" <viriyala at yahoo.com>
To: <japc at co.sapo.pt>
Cc: <dovecot at dovecot.org>
Sent: Friday, June 26, 2009 4:01 AM
Subject: Re: [Dovecot] Lots of pop3-logins
Post by V S Rao
Post by V S Rao
Post by V S Rao
Post by Rodman Frowert
Doing a "ps aux" on my Slackware box, I have approx 100 PID's of
"pop3-login's going on. This is a production mail server, but it is
getting VERY low traffic. In fact, only 3 people can "pop3" into it.
I've check their e-mail clients, and they are not checking mail any
more often than every 5 minutes.
This is a new installation and I've had the server up and running
since Sunday. If it matters, I'm using Postfix for the MTA and using
the Dovecot SASL library to AUTH SMTP.
Is this a cause for concern? Why does Dovecot need this many processes?
Post by Jose Celestino
Because dovecot preforks the *-login processes to speed-up the login.
No need to worry.
100 login sessions for just 3 connections? That is not right, no matter what.
Post by Rodman Frowert
No, login_processes_count matters.
How? If my understanding is correct, you have extra 3 login processes
created to cater to new connections. So with only 3 POP3 users, why
should so many login processes be spawned? I can understand 10-15. But
100 definitely indicates either the processes are not dying or something
else happening on the system which is causing such high number of login
processes. The system definitely needs to be checked for some kind of
attack, a rogue process running on the system or something else.
Post by V S Rao
My idle box has 64 imap-login processes and no, I'm not under a
dictionary attack :)
I am not sure what your load is (user base, system config etc), but I will
give you my typical load here. I run mail server for about 6000 users with
a mix of 70% POP3 and 30% IMAP (thro webmail). And here are the typical
stats (I run a script in the background collecting this data every 5
pop3-logins:12
pop3-connections:8
IMAP-logins:7
IMAP-connections:11
I have read other opinions in this thread by Timo & others. And I am
interested in a few things. So if you will indulge me, maybe it will be
useful for others who face these kind of issues
Timo Wrote: You can also just decrease login_process_max_count
Wouldn't decreasing the login_process_max_count simply create more
problems. Now users will start experiencing timeouts sooner than before,
because whatever is causing the login processes to increase (attack, rogue
process or whatever) will *always* be trying to login and genuine users
will be denied login. So without knowing the root cause of the issue
simply decreasing or increasing the login_process_max_count will lead to
other problems. Correct me if I am wrong.
Rodman Wrote: I'll go ahead and lower that limit to something that fits my usage better.
No, I think leave that value to default and try and identify the root cause and prevent it.
Noel Wrote: What would be nice is, an anti brute force option
Yes, that would be nice. But consider a situation where the system is not
under brute force attack, but for some reason the number of login
processes keep on increasing by the hour. This would ultimately lead the
system to deny connections to the users. Is there a way to track what is
happening? strace would be too complicated for us field guys to work with.
Any suggestions?
Regards
--Rao
Charles Marcus
2009-06-26 13:57:30 UTC
Permalink
If anyone wants to see the fail2ban config file I am using for Dovecot, let me know...
Does it also work for IMAP ligins? I'd like to see it regardless... thanks!
--
Best regards,

Charles
Rodman Frowert
2009-06-26 14:31:24 UTC
Permalink
Charles,

I haven't tested it with IMAP so I'm not sure. I was going to play with
that later. It could also be modified to ban failed SASL SMTP auths as
well. Here is the line in my /etc/fail2ban/filter.d/dovecot.conf file that
makes it work:

failregex = (?: Disconnected|Aborted
login).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*

I have to use the "Disconnected" AND "Aborted login" to pick up 100% of
failed pop3's. For some reason, some attacks only show "Disconnected" in
the logs while the others show as "Aborted login". If I try to do a failed
pop3 auth myself, I show as "Disconnected" but the dictionary attack the
other day showed as "Aborted login".

Rodman


----- Original Message -----
From: "Charles Marcus" <CMarcus at Media-Brokers.com>
Cc: <dovecot at dovecot.org>
Sent: Friday, June 26, 2009 8:57 AM
Subject: Re: [Dovecot] Lots of pop3-logins
Post by Charles Marcus
If anyone wants to see the fail2ban config file I am using for Dovecot, let me know...
Does it also work for IMAP ligins? I'd like to see it regardless... thanks!
--
Best regards,
Charles
Timo Sirainen
2009-06-28 03:47:16 UTC
Permalink
Post by V S Rao
Timo Wrote: You can also just decrease login_process_max_count
Wouldn't decreasing the login_process_max_count simply create more
problems. Now users will start experiencing timeouts sooner than
before, because whatever is causing the login processes to increase
(attack, rogue process or whatever) will *always* be trying to login
and genuine users will be denied login. So without knowing the root
cause of the issue simply decreasing or increasing the
login_process_max_count will lead to other problems. Correct me if I
am wrong.
Depends on the attacker. Dovecot will always drop the oldest connection.
So if attacker is authenticating multiple times in a single session,
it's pretty much always the oldest connection that gets killed first. If
attacker logins once and then disconnects, I think Dovecot still kills
those processes sooner than others, because they're waiting a couple of
seconds for "authentication failed".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090627/3f09d005/attachment-0001.bin
Loading...