Mailcow-dockerized: Brute-Force Attack (Dovecot) on fresh Mailcow install
Is there any Solution for banning such attacks?
`
pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=, rip=185.21.146.10, lip=172.22.1.12
4.10.2018, 21:38:21 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:21 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:21 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:21 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:20 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:20 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:20 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:20 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:19 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:19 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
4.10.2018, 21:38:19 | info | pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
`
guentir
All 8 comments
Can you please show netfilter-mailcow logs?
andryyy
on 4 Oct 2018
Hm, I'm not sure, but iirc we removed "Aborted login (auth failed" because it was triggered without the attacker even coming so far as he needed to a password. And to prevent false-positives we removed it. Need to check the history.
It is missing the method, I _guess_ that it was a scripted plain-text bruteforce that never actually worked. But yes, it is still annoying. @mkuron what do you think, should it be added?
andryyy
on 4 Oct 2018
ok, thats not good for a public mailserver.
So anyone can attack easily dovecot...
Is there any easy solution to prevent these attacks?
guentir
on 4 Oct 2018
So anyone can attack easily dovecot...
What? Please check my message above. It never used TLS, it was never allowed to authenticate. netfilter-mailcow bans real attacks, this was an annoying "attack" that spams logs and blocks workers (kind of), but it was not dangerous.
andryyy
on 4 Oct 2018
So anyone can attack easily dovecot...
Are you for real? Did you look at any of your web services and login attempts there? By these standards EVERYTHING can be "easily attacked".
Braintelligence
on 4 Oct 2018
Not a nice atmosphere here...
So i have to switch to a better Mail Solution.
guentir
on 4 Oct 2018
Actually this will happen with every mailserver you will host. There are bots who are trying every port and therefore mail ports as well. It's not dangerous at all when you have secure passwords, no software with known exploits and more.
MAGICCC
on 4 Oct 2018
You could whitelist every IP by hand before allowing to connect 8)
EDIT: Wait, that would create logs saying connection attempt was blocked because of not whitelisted IP...
Braintelligence
on 4 Oct 2018
Related issues
K2rool
路
3Comments
RogerSik
路
3Comments
bonanza123
路
3Comments
starcraft0429
路
3Comments
poldixd
路
3Comments
Most helpful comment
Actually this will happen with every mailserver you will host. There are bots who are trying every port and therefore mail ports as well. It's not dangerous at all when you have secure passwords, no software with known exploits and more.