Login attack on cyrus imap

Uwe Hering uhering_forward at hhrm.de
Wed Nov 8 06:50:06 EST 2006


Hi,

I did get good results in similar situations using the the netfilter match
"iplimit", fast solution if you are using ip filtering anyway.

Have a look here:


http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.5


Uwe

> Take Ben's advice.  Use fail2ban, FUT, or any of the other programs out
there that are designed for this.  If the attacker is using a single IP
address, fail2ban (properly configured) should block them in under a
second.
>
> There's probably a way to prevent Cyrus from taking too many
> connections, but that still allows a DoS attack -- if the attacker is
using up all of your available connections, no real customer can get on.
 It also uses up a bunch of system resources, unnecessarily. Don't limit
the attacker -- ban them.
>
> Chris St. Pierre
> Unix Systems Administrator
> Nebraska Wesleyan University
>
> On Thu, 2 Nov 2006, Jim John wrote:
>
>>I found out that it was a single IP from the log
>>files. That person (or bot) logs into the POP3 server
>>and tries to authenticate itself. The problem is that
>>it logs in as a different user each time and does ALOT
>>of these logins per second, causing LDAP to overload
>>with connections. Is there any way to limit the number
>>of connections in the cyrus server using some config
>>parameter? Thanks.
>>
>>
>>
>>
>>__________________________________________________________________________________________
Check out the New Yahoo! Mail - Fire up a more powerful email and get
>> things done faster.
>>(http://advision.webevents.yahoo.com/mailbeta)
>>
>>----
>>Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>







More information about the Info-cyrus mailing list