Skip navigation

Protecting dovecot from being hacked?

842 Views 1 Reply Latest reply: Jan 13, 2012 5:02 PM by Bert Sierra RSS
GreatGeek Level 1 Level 1 (0 points)
Currently Being Moderated
Dec 14, 2011 4:07 PM

I just noticed this moron in my logs:

 

Dec 14 08:37:06 server dovecot[185]: auth: Error: od(newsletter,217.74.48.62): verify plain: lookup failed for user: newsletter

Dec 14 08:37:23 server dovecot[185]: auth: Error: od[getpwnam_ext](newsletter,217.74.48.62): No record for user

Dec 14 08:37:23 server dovecot[185]: auth: Error: od(newsletter,217.74.48.62): verify plain: lookup failed for user: newsletter

Dec 14 08:37:40 server dovecot[185]: auth: Error: od[getpwnam_ext](zabbix,217.74.48.62): No record for user

Dec 14 08:37:40 server dovecot[185]: auth: Error: od(zabbix,217.74.48.62): verify plain: lookup failed for user: zabbix

Dec 14 08:37:57 server dovecot[185]: auth: Error: od[getpwnam_ext](zabbix,217.74.48.62): No record for user

Dec 14 08:37:57 server dovecot[185]: auth: Error: od(zabbix,217.74.48.62): verify plain: lookup failed for user: zabbix

Dec 14 08:38:14 server dovecot[185]: auth: Error: od[getpwnam_ext](zabbix,217.74.48.62): No record for user

Dec 14 08:38:14 server dovecot[185]: auth: Error: od(zabbix,217.74.48.62): verify plain: lookup failed for user: zabbix

Dec 14 08:38:31 server dovecot[185]: auth: Error: od[getpwnam_ext](backuppc,217.74.48.62): No record for user

Dec 14 08:38:31 server dovecot[185]: auth: Error: od(backuppc,217.74.48.62): verify plain: lookup failed for user: backuppc

Dec 14 08:38:49 server dovecot[185]: auth: Error: od[getpwnam_ext](informix,217.74.48.62): No record for user

Dec 14 08:38:49 server dovecot[185]: auth: Error: od(informix,217.74.48.62): verify plain: lookup failed for user: informix

Dec 14 08:39:07 server dovecot[185]: auth: Error: od[getpwnam_ext](informix,217.74.48.62): No record for user

Dec 14 08:39:07 server dovecot[185]: auth: Error: od(informix,217.74.48.62): verify plain: lookup failed for user: informix

 

It's someone screwing around with my server from NSC in Ireland. I'm going to report this idiot but isn't there some way to protect Dovecot from letting idiots just keep hacking until they guess at a login/password?!

  • Bert Sierra Level 2 Level 2 (285 points)
    Currently Being Moderated
    Jan 13, 2012 5:02 PM (in response to GreatGeek)

    Dear GreatGeek:  [great name, by the way]

     

    I endure these types of casual script kiddie attacks on my Dovecot-based Snow Leopard Server mail server on a daily basis.  My best suggestion would be to not support root or admin accounts with mail service, and enforce a password policy so that no account passwords can be guessed by brute force attack.  For example, look at Apple's password policies when you set up iTunes / iCloud accounts [at least eight characters, with a mix of lowercase and uppercase letters, and at least one numeric digit thrown in].  Also, the passwords should not be based on any commonly known names / nicknames for the user, her family, or pets.

     

    Unfortunately, if you’re going to allow mail logins from anywhere on the Internet, these types of attacks are to be expected.  Let me know if you find any simple way to filter them out.  Where it gets really gnarly is if the attacker hits you with enough login requests per second (say anything more five or ten per second).  If this type of attack lasts for just a matter of minutes, Dovecot can be overwhelmed and legit users can’t log in.  It’s a type of unintentional denial-of-service attack coming from a single attacking host (not even a distributed attack, which would be even worse and harder to protect against!).

     

    The reason I ran across your post today is because our mail server sustained nearly 2,900 POP logins over an eight minute period which brought our mail service to a crawl.  In looking a the pattern of login names used, I can see that it would be difficult to tune out these requests by adjusting parameters in the /etc/dovecot/dovecot.conf configuration file.

     

    I’ve opened up a thread at https://discussions.apple.com/thread/3651526 to answer the question: is there any way to filter out hard cord attacks in Dovecot?  You might want to keep an eye on this thread to see if any suggestions are posted which might solve your question as well.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.