Login attack on cyrus imap
Chris St. Pierre
stpierre at NebrWesleyan.edu
Fri Nov 3 08:42:43 EST 2006
Take Ben's advice. Use fail2ban, FUT, or any of the other programs
out there that are designed for this. If the attacker is using a
single IP address, fail2ban (properly configured) should block them in
under a second.
There's probably a way to prevent Cyrus from taking too many
connections, but that still allows a DoS attack -- if the attacker is
using up all of your available connections, no real customer can get
on. It also uses up a bunch of system resources, unnecessarily.
Don't limit the attacker -- ban them.
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
On Thu, 2 Nov 2006, Jim John wrote:
>I found out that it was a single IP from the log
>files. That person (or bot) logs into the POP3 server
>and tries to authenticate itself. The problem is that
>it logs in as a different user each time and does ALOT
>of these logins per second, causing LDAP to overload
>with connections. Is there any way to limit the number
>of connections in the cyrus server using some config
>parameter? Thanks.
>
>
>
>
>__________________________________________________________________________________________
>Check out the New Yahoo! Mail - Fire up a more powerful email and get things done faster.
>(http://advision.webevents.yahoo.com/mailbeta)
>
>----
>Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
More information about the Info-cyrus
mailing list