Am Montag, den 08.06.2009, 12:58 -0700 schrieb Kenneth Porter:
I've temporarily got SELinux set to permissive mode on a fresh install on
CentOS 5. It was blocking Dovecot's access to ~/mail because the files were
labeled file_t. What's the correct way to label these?
restorecon path
Henry
Am Freitag, den 05.06.2009, 12:04 +1000 schrieb James Brown:
Looks like we are under a dictionary login attack on our POP server:
Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth
failed, 1 attempts): user=audrey, method=PLAIN, rip=85.189.169.94,
lip=192.168.1.9
Since
Am Freitag, den 05.06.2009, 09:24 +0200 schrieb Lenthir:
Timo Sirainen pisze:
On Jun 4, 2009, at 10:01 AM, Lenthir wrote:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK POP3 [127.0.0.1] server ready
user krzys
+OK User name accepted, password please
pass
Hi List,
optimizing the configuration on one of our servers (which was
hit by a brute force attack on dovecot) showed an odd behavior.
Dovecot Version 1.0.7 (CentOS 5.2)
The short story:
On one of our servers an attacker did a brute force
attack on dovecot (pop3).
Since the attacker closed
the attacker with
a little script (fail2ban,..).
Henry
-Message d'origine-
De : dovecot-bounces+laruellec=aiderdonner@dovecot.org
[mailto:dovecot-bounces+laruellec=aiderdonner@dovecot.org] De la part de
Noel Butler
Envoyé : jeudi 4 juin 2009 12:48
À : henry ritzlmayr
Cc
Question:
Is there any way to close the connection after the
first wrong user/pass combination. So an attacker would be forced
to reopen it?
I think the growing delay is a better idea.
The Idea is good but I guess an option to just disconnect the attacker
wouldn't hurt in the config
Am Donnerstag, den 04.06.2009, 18:27 +0200 schrieb Steve:
The Idea is good but I guess an option to just disconnect the attacker
wouldn't hurt in the config file?
Is that not the wrong approach? I mean: all you wanted is to have a log entry
showing when there was a username/password
Am Donnerstag, den 04.06.2009, 09:51 -0700 schrieb Mark Sapiro:
On Thu, Jun 04, 2009 at 12:16:00PM +0200, henry ritzlmayr wrote:
The problem:
If the attacker wouldn't have closed and reopened the connection
no log would have been generated and he/she would have endless
tries. Not even
Am Donnerstag, den 04.06.2009, 12:23 -0400 schrieb Timo Sirainen:
On Thu, 2009-06-04 at 18:13 +0200, henry ritzlmayr wrote:
Question:
Is there any way to close the connection after the
first wrong user/pass combination. So an attacker would be forced
to reopen it?
I think