Like it or not, this is going to be a common event when running a mail server and is an example of the importance of using good, strong passwords. Should an intruder manage to guess a user account name, they will undoubtedly being attempting to guess the password. This is commonly referred to as a "brute force" or "dictionary" attack.
There is an application called fail2ban, which will greatly slow them down. Fail2ban works by monitoring your logs for failure expressions such as the ones in your log entry. When a set number, typically 3-5 failures occur within a short period of time, the offending IP address is placed on a (temporary) ban list via hosts.deny and / or iptables (firewall). This will block all connections from the perpetrator for the specified amount of time. So, for example, you could limit them to 3 attempts every 4 hours, which means that attempting to guess an acceptable user name and password is going to take prohibitively long time. The idea is to make the cost of entry such that it is not worth the expenditure of the effort.
If the problem persists, you can block that particular IP and or ISP. While a persistent attacker will work around this, it may be enough to make them go away.
Edit: one thing to note, is that this attack is an attempt to get at the user's mailboxes, through Dovecot (your POP/IMAP) server, which is different than via your SMTP server. Depending on your setup, you may be able to increase the restrictions, such as limiting the addresses (such as to your local LAN) that Dovecot will even listen to.
Last edited by Noway2; 10-03-2011 at 03:37 PM.
|