| Type: | Brute Force |
| Protocol: | POP3 |
| OS: | Linux 3.6.11+ armv6l |
| Platform: | Pi Rev. B |
| Memory: | 512M |
| Daemon: | Dovecot 2.1.7-7 |
| Backend Daemon: | MySQL 5.5 |
| Backend OS: | Linux 2.6.32-5-amd64 |
| Backend Platform: | Generic AMD A4-3400 APU Dual Core |
| Backend Memory: | 3.5G |
| Total Attempts: | 13356 |
| Avg. Attempt/s: | 2.71 |
Postmortem:
67.136.48.186 was *unable* to successfully authenticate to any valid user.
Attack was mitigated at the firewall (DROP).
abuse@integratelecom.com was contacted about this event.
Further Information:
Fail2ban did not detect the attack, research ongoing.
Fail2ban's ability to check logging may have been overwhelmed.
All logging is done remotely, no local logging occurs.
The RPI handled the traffic/load well, never swapped.
Log Excerpt:
Feb 22 18:14:05 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:12 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:24 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:26 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:27 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:28 hcpi004 dovecot: auth-worker(8400): sql(spam,67.136.48.186): unknown user
Feb 22 18:14:40 hcpi004 dovecot: auth-worker(8400): sql(administrator,67.136.48.186): unknown user
Feb 22 18:14:43 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
*SNIP*
Feb 22 19:35:23 hcpi004 dovecot: auth-worker(25283): sql(bridgette,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(danielle,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(coach,67.136.48.186): unknown user
Feb 22 19:36:39 hcpi004 dovecot: auth-worker(26746): sql(chuck,67.136.48.186): unknown user
Feb 22 19:36:43 hcpi004 dovecot: auth-worker(26746): sql(bryson,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(denise,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(dev,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(bridget,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dominic,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dakota,67.136.48.186): unknown user
Hits: 2