0

Today I have brazen attack to my pop3-dovecot server and mail log is full over (200MB) with this kind of information:

Nov 11 09:28:14 lax dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<shawn>, method=PLAIN, rip=200.233.152.111, lip=myip
Nov 11 09:28:14 lax dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<shop>, method=PLAIN, rip=200.233.152.111, lip=myip
Nov 11 09:28:14 lax dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<sitetest>, method=PLAIN, rip=200.233.152.111, lip=myip
Nov 11 09:28:14 lax dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<solar>, method=PLAIN, rip=200.233.152.111, lip=myip
Nov 11 09:28:15 lax dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<services>, method=PLAIN, rip=200.233.152.111, lip=myip

I just blocked attacker's ip by iptables

-A INPUT -s 200.233.152.111 -j DROP

But it this can be continued anytime from other ips.

My question is: Is there any method to disallow anyone to connect my pop3 server (except only me?) because my ip is dynamic from ISP side so I don't know how to make pop3 server know that it is exactly me connecting to. Thank you in advance!

Ken Tang
  • 289
  • 1
  • 2
  • 8

2 Answers2

2

The answer to your exact question would be to set up a VPN (i.e. by installing and configuring OpenVPN) and then configuring Dovecot and/or iptables so that only who is connected through the VPN can access the POP3 service.

However, another course of action that you may want to follow is installing fail2ban so that a single IP attempting too many failed connections, such as one that is carrying out a brute-force attack, is disallowed from connecting again for a certain time.

The wiki for Dovecot has some instructions about how to do this.

pino42
  • 915
  • 5
  • 11
1

The simplest thing to do is to change the port. It won't keep out an extremely persistent attacker, but its probably enough to keep out people looking for low hanging fruit.

Your should also set up fail2ban or similar. This automatically blacklists ip's after too many login failures.

longneck
  • 23,082
  • 4
  • 52
  • 86