LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-13-2008, 03:49 AM   #1
glyn3332
LQ Newbie
 
Registered: Oct 2008
Posts: 21

Rep: Reputation: 15
POP3 brute force attack help


Hi guys,

I appear to be facing a brute force attack attempt on my POP3 server. Here is an excerpt from the log file:

Code:
 pop3:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=admin: 1 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=nobody: 1 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root: 1 Time(s)
And also:

Code:
**Unmatched Entries**
    Disconnected, ip=[::ffff:88.191.65.244]: 1 Time(s)
    Disconnected, ip=[::ffff:91.65.20.97]: 1 Time(s)
    LOGIN FAILED, user=admin, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=alan, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=alex, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=aron, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=brett, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=danny, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=data, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=http, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=httpd, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=mike, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=nobody, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=root, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=sharon, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=test, ip=[::ffff:88.191.65.244]: 1 Time(s)
    LOGIN FAILED, user=www-data, ip=[::ffff:88.191.65.244]: 1 Time(s)
This has been going on over the weekend as far as I can tell from the logs. And as usual from a different IP daily.

My Set up is:
  • CentOS 5
  • Postfix
  • ClamAV with Amavis and Spamassassin
  • Courier for POP3 and IMAP access.

Any help welcome
 
Old 10-13-2008, 04:04 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Maybe install something like Fail2ban?
 
Old 10-13-2008, 05:12 AM   #3
glyn3332
LQ Newbie
 
Registered: Oct 2008
Posts: 21

Original Poster
Rep: Reputation: 15
I already have sshdfilter installed on the box to cover SSH attacks so I was hoping for a solution that just covers POP and IMAP access before I go changing it around. But I will test it on my local machine as I can't get sshdfilter to work on it.

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
brute-force-ssh-attack saavik Linux - Security 6 09-05-2008 01:01 AM
Does anyone know if guardian can be set to block brute force attacks and only brute f abefroman Linux - Software 2 06-05-2008 10:55 AM
Protect server from brute force attack via ssh babysparrow Linux - Security 6 03-31-2006 09:00 PM
Brute-force attack - How can I assess the damage? thew00t Linux - Security 4 09-27-2005 06:08 PM
How did the NASA get hacked, was it just a brute force attack? abefroman Linux - Security 2 05-18-2005 05:33 AM


All times are GMT -5. The time now is 11:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration