1

Topic: Currently enjoying POP (110) brute force attack

Is the some way to limit connections from a specific IP that attempt to connect a certain number of times in say, a second?

Thanks in advance.

2

Re: Currently enjoying POP (110) brute force attack

I'm just going to use Fail2Ban. I'll post my findings here.

3

Re: Currently enjoying POP (110) brute force attack

Dovecotsupports this.
Try to search 'connection' in dovecot.conf.

4

Re: Currently enjoying POP (110) brute force attack

Yes, I think it's just applicable in for IMAP. I assume you mean:

# IMAP configuration
# number of connections per-user per-IP
mail_max_userip_connections = 10

Correct?

5

Re: Currently enjoying POP (110) brute force attack

It works with both POP3 and IMAP. Reference (Search "mail_max_userip_connections" in below URL):
http://wiki.dovecot.org/MainConfig

6

Re: Currently enjoying POP (110) brute force attack

ZhangHuangbin wrote:

mail_max_userip_connection

Thanks!

7

Re: Currently enjoying POP (110) brute force attack

glacierdigital wrote:
ZhangHuangbin wrote:

mail_max_userip_connection

Thanks!

A quick follow up for the community, "mail_max_userip_connections" will not work in my case since it's a user+ip combination. Each different user behind the same IP can use up to 10 connections with "mail_max_userip_connections=10".

This attack was a different username each time but from the same IP address (i.e. brute force usernames AND passwords presumably).

I'll post more as I work through this and thanks again to those offering their support.

8

Re: Currently enjoying POP (110) brute force attack

Fail2ban, ban it for 12 hours after 10 failed login attempts and that will do it.

9

Re: Currently enjoying POP (110) brute force attack

maxie_ro wrote:

Fail2ban, ban it for 12 hours after 10 failed login attempts and that will do it.

Thanks maxie

10

Re: Currently enjoying POP (110) brute force attack

glacierdigital wrote:
maxie_ro wrote:

Fail2ban, ban it for 12 hours after 10 failed login attempts and that will do it.

Thanks maxie

So I ended up just limiting pop3, smtp and imap (along with their SSL equivalents) in ufw.

I'll post results as I measure success.