I have seen thousands of dictionary or brute force attempts on ipop3d over the last couple of days from the same ip address. Example from /var/log/messages: Mar 28 04:34:36 ipop3d[19269]: Login failed user=jess auth=jess host=[209.2.xxx.xxx] There are at least five of these entries per second and sometimes the large number of attempts makes the daemon restart. On the chance that an existing user is attacked a message sometimes looks like this: Mar 28 04:32:33 ipop3d[18739]: Autologout user=example host=[209.2.xx.xx] What is going on here? Why are they attempting to gain access to ipop3d since, as I understand it, this daemon just collects the mail and spammers would be more interested in sending mail from this server? Also, is there anything that can be done to prevent entry since they could eventually brute force a client's weak password?
You can block that IP address like this: http://www.howtoforge.com/forums/showpost.php?p=38142&postcount=4
That would be a temporary solution, but today a different IP is attacking and I want to avoid reading the log several times a day. Looks like a botnet is attracted to this server. This seems more effective but I don't know how to apply it to ipop3d: http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts#comment-1411
I haven't tried yet, but I think that maybe fail2ban ( http://fail2ban.sourceforge.net/ ) can observe login attempts for POP3.
