Knowledgebase

Portal Home > Knowledgebase > Articles Database > Dovecot Brut force


Dovecot Brut force




Posted by mixmox, 09-21-2013, 01:28 AM
hello these logs are send by logwatch to me how can i fix the problem its near 12000 line dovecot[2895]: auth-worker(16753): shadow(access,91.183.99.84): unknown user: 32 Time(s) dovecot[2895]: auth-worker(16753): shadow(account,91.183.99.84): unknown user: 32 Time(s) dovecot[2895]: auth-worker(16753): shadow(admin,91.183.99.84): Password mismatch: 32 Time(s) dovecot[2895]: auth-worker(16753): shadow(administrador,91.183.99.84): unknown user: 9 Time(s) dovecot[2895]: auth-worker(16753): shadow(administrator,91.183.99.84): unknown user: 22 Time(s) dovecot[2895]: auth-worker(16753): shadow(alfredo,91.183.99.84): unknown user: 10 Time(s) dovecot[2895]: auth-worker(16753): shadow(angel,91.183.99.84): unknown user: 9 Time(s) dovecot[2895]: auth-worker(16753): shadow(antonio,91.183.99.84): unknown user: 10 Time(s) dovecot[2895]: auth-worker(16753): shadow(backup,91.183.99.84): unknown user: 31 Time(s) dovecot[2895]: auth-worker(16753): shadow(bill,91.183.99.84): unknown user: 9 Time(s) dovecot[2895]: auth-worker(16753): shadow(carmelo,91.183.99.84): unknown user: 9 Time(s) dovecot[2895]: auth-worker(16753): shadow(clark,91.183.99.84): unknown user: 10 Time(s) dovecot[2895]: auth-worker(16753): shadow(client,91.183.99.84): unknown user: 10 Time(s) dovecot[2895]: auth-worker(16753): shadow(club,91.183.99.84): unknown user: 8 Time(s) dovecot[2895]: auth-worker(16753): shadow(company,91.183.99.84): unknown user: 9 Time(s) dovecot[2895]: auth-worker(16753): shadow(contact,91.183.99.84): unknown user: 10 Time(s) dovecot[2895]: auth-worker(16753): shadow(contas,91.183.99.84): unknown user: 10 Time(s) dovecot[2895]: auth-worker(16753): shadow(cs,91.183.99.84): unknown user: 10 Time(s)
Posted by McBane, 09-21-2013, 01:37 AM
You want one of these: http://www.rfxn.com/projects/brute-force-detection/ http://www.fail2ban.org/
Posted by mixmox, 09-22-2013, 02:36 AM
BFD: it has scan all log every 3 min to check brute force and detect some ips, what will bfd do after detect ips? add them to iptables and ban them from server service access ?
Posted by net, 09-22-2013, 02:50 AM
You can also try CSF: http://configserver.com/cp/csf.html Works well for us.
Posted by mixmox, 09-22-2013, 09:29 AM
which csf option check dovecot for Brut force ?
Posted by CharmServer, 09-22-2013, 09:57 AM
CSF includes LFD which checks for failed e-mail logins. Just disable the testing mode in /etc/csf/csf.conf restart CSF and it will work fine.
Posted by Cloud-Shield, 09-22-2013, 10:38 AM
Do you have cpanel installed? If you do I would recommend installing csf (as well as lfd) and configure its fail-attempt ip blacklisting.
Posted by McBane, 09-22-2013, 05:52 PM
That's what I have it do. You can set it to do whatever you want basically, but I just have it ban the IP with iptables.
Posted by Kailash12, 09-23-2013, 02:24 AM
Install CSF firewall as suggested and configure login failure for email, FTP, SSH etc. This should prevent brute force login from the same IP address.
Posted by jamesbond879, 09-24-2013, 07:23 AM
I would recommend installing csf (as well as lfd) and configure its fail-attempt ip blacklisting.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Looking for 7GB - 30GB under $50 (Views: 589)
I am so screwed....help! (Views: 582)
managed hosting in new york? how about voxel? (Views: 622)
PHP Adding (Views: 595)
Average profit margin for web hosting (Views: 610)