Article 14108 at 08/09/30 00:50:33 From: webmaster (at mark) muntada.com Subject: [coba-e:14108] Dovecot Attack

Index: [Article Count Order] [Thread]

Date:  Mon, 29 Sep 2008 11:50:21 -0400
From:  MuntadaNet Webmaster <webmaster (at mark) muntada.com>
Subject:  [coba-e:14108] Dovecot Attack
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200809291550.m8TFoOU9010309 (at mark) huda.muntadanet.com>
X-Mail-Count: 14108

I have an offending IP who is attacking dovecot.  The log looks like this:

Sep 29 11:48:40 huda dovecot: pop3-login: Aborted login (1 
authentication attempts): user=<eddie>, method=PLAIN, 
rip=65.69.251.9, lip=216.14.86.227

The user keeps changing as it cycles through.

Now, I have run the following command:

iptables -A INPUT -s 65.69.251.9 -j DROP

However, it still keeps occurring.

I am running denyHosts and I run the dfix.sh script.

What am I doing wrong and what else do I need to do?

After awhile, no one can check their email as it destroys dovecot.

-Rashid