Article 14385 at 08/11/26 07:04:39 From: dan (at mark) dogsbody.org Subject: [coba-e:14385] Re: Dovecot/POP3 Flood

Index: [Article Count Order] [Thread]

Date:  Tue, 25 Nov 2008 22:04:39 +0000
From:  Dogsbody <dan (at mark) dogsbody.org>
Subject:  [coba-e:14385] Re: Dovecot/POP3 Flood
To:  coba-e (at mark) bluequartz.org
Message-Id:  <492C7677.3060200 (at mark) dogsbody.org>
In-Reply-To:  <200811250602.mAP62ZIj095660 (at mark) info.eis.net.au>
References:  <200811250602.mAP62ZIj095660 (at mark) info.eis.net.au>
X-Mail-Count: 14385


> I am still having problems with these brute force attacks, the problem seems
> to be that dovecot is spawing too many processes->PAM requests before the
> intrusion detection progam has notices. Is there a way to hard code the
> number of simultaneous running dovecot processes to give time for the
> blocking scripts to respond. Something like 50 dovcot pop3-login processes
> at once should be heaps.

I can't post details at the moment but another alternative is a good 
iptables firewall for your boxes that use the recent module as you can 
literally block an attack like this on the fourth connection.

See post coba-e:09907 in the archives for details.

Dan