1 Topic by glacierdigital

  • glacierdigital
  • glacierdigital
  • Member
  • Offline
  • From: Canada
  • Registered: 2011-01-26
  • Posts: 33

Topic: Currently enjoying POP (110) brute force attack

Is the some way to limit connections from a specific IP that attempt to connect a certain number of times in say, a second?

Thanks in advance.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by glacierdigital

  • glacierdigital
  • glacierdigital
  • Member
  • Offline
  • From: Canada
  • Registered: 2011-01-26
  • Posts: 33

Re: Currently enjoying POP (110) brute force attack

I'm just going to use Fail2Ban. I'll post my findings here.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Currently enjoying POP (110) brute force attack

Dovecotsupports this.
Try to search 'connection' in dovecot.conf.

4 Reply by glacierdigital

  • glacierdigital
  • glacierdigital
  • Member
  • Offline
  • From: Canada
  • Registered: 2011-01-26
  • Posts: 33

Re: Currently enjoying POP (110) brute force attack

Yes, I think it's just applicable in for IMAP. I assume you mean:

# IMAP configuration
# number of connections per-user per-IP
mail_max_userip_connections = 10

Correct?

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Currently enjoying POP (110) brute force attack

It works with both POP3 and IMAP. Reference (Search "mail_max_userip_connections" in below URL):
http://wiki.dovecot.org/MainConfig

6 Reply by glacierdigital

  • glacierdigital
  • glacierdigital
  • Member
  • Offline
  • From: Canada
  • Registered: 2011-01-26
  • Posts: 33

Re: Currently enjoying POP (110) brute force attack

ZhangHuangbin wrote:

mail_max_userip_connection

Thanks!

7 Reply by glacierdigital

  • glacierdigital
  • glacierdigital
  • Member
  • Offline
  • From: Canada
  • Registered: 2011-01-26
  • Posts: 33

Re: Currently enjoying POP (110) brute force attack

glacierdigital wrote:
ZhangHuangbin wrote:

mail_max_userip_connection

Thanks!

A quick follow up for the community, "mail_max_userip_connections" will not work in my case since it's a user+ip combination. Each different user behind the same IP can use up to 10 connections with "mail_max_userip_connections=10".

This attack was a different username each time but from the same IP address (i.e. brute force usernames AND passwords presumably).

I'll post more as I work through this and thanks again to those offering their support.

8 Reply by maxie_ro

  • maxie_ro
  • Member
  • Offline
  • From: Constanţa, România
  • Registered: 2009-10-09
  • Posts: 214

Re: Currently enjoying POP (110) brute force attack

Fail2ban, ban it for 12 hours after 10 failed login attempts and that will do it.

9 Reply by glacierdigital

  • glacierdigital
  • glacierdigital
  • Member
  • Offline
  • From: Canada
  • Registered: 2011-01-26
  • Posts: 33

Re: Currently enjoying POP (110) brute force attack

maxie_ro wrote:

Fail2ban, ban it for 12 hours after 10 failed login attempts and that will do it.

Thanks maxie

10 Reply by glacierdigital

  • glacierdigital
  • glacierdigital
  • Member
  • Offline
  • From: Canada
  • Registered: 2011-01-26
  • Posts: 33

Re: Currently enjoying POP (110) brute force attack

glacierdigital wrote:
maxie_ro wrote:

Fail2ban, ban it for 12 hours after 10 failed login attempts and that will do it.

Thanks maxie

So I ended up just limiting pop3, smtp and imap (along with their SSL equivalents) in ufw.

I'll post results as I measure success.