If you're smart, you're probably running 'fail2ban' (or something similar) on your qmailtoaster to block password-guessing attempts. You may also have used the rules given at:

    http://wiki.qmailtoaster.com/index.php/Fail2Ban

to configure it.

This morning I happened to check my logs and discovered a ridiculous number of password-guessing attempts from a single IP, all of which had apparently gone unblocked by fail2ban. It turned out that the attacker was sending an empty password string, so that the log lines looked something like:

     vchkpw-submission: null password given phil:192.129.186.58

There was no corresponding rule in my '/etc/fail2ban/filter.d/vpopmail.conf' to capture this case, so the attacker was able to try over and over again, unbanned.

The attack script seems to be badly broken: it hits the same usernames over and over again, always with the same null password, and without even including the hostname part of the username (i.e. 'phil' rather than 'p...@example.com'), so I'd rate its chances of succeeding as minimal. Still, it'll inflate your log files, so you probably want to ban it.

So you might want to consider tweaking your fail2ban configuration to ensure that the failregex in 'vpopmail.conf' successfully matches 'null password given' as well as the default 'vpopmail user not found' string.

Angus



---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to