LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   POP3 brute force attack help (http://www.linuxquestions.org/questions/linux-security-4/pop3-brute-force-attack-help-675997/)

glyn3332 10-13-2008 03:49 AM

POP3 brute force attack help
 
Hi guys,

I appear to be facing a brute force attack attempt on my POP3 server. Here is an excerpt from the log file:

Code:

pop3:
    Unknown Entries:
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=admin: 1 Time(s)
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=nobody: 1 Time(s)
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root: 1 Time(s)

And also:

Code:

**Unmatched Entries**
    Disconnected, ip=[::ffff:88.191.65.244]: 1 Time(s)
    Disconnected, ip=[::ffff:91.65.20.97]: 1 Time(s)
    LOGIN FAILED, user=admin, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=alan, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=alex, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=aron, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=brett, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=danny, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=data, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=http, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=httpd, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=mike, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=nobody, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=root, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=sharon, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=test, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=www-data, ip=[::ffff:88.191.65.244]: 1 Time(s)

This has been going on over the weekend as far as I can tell from the logs. And as usual from a different IP daily.

My Set up is:
  • CentOS 5
  • Postfix
  • ClamAV with Amavis and Spamassassin
  • Courier for POP3 and IMAP access.

Any help welcome :)

win32sux 10-13-2008 04:04 AM

Maybe install something like Fail2ban?

glyn3332 10-13-2008 05:12 AM

I already have sshdfilter installed on the box to cover SSH attacks so I was hoping for a solution that just covers POP and IMAP access before I go changing it around. But I will test it on my local machine as I can't get sshdfilter to work on it.

Cheers :)


All times are GMT -5. The time now is 03:42 PM.