Technical Goulash

Email Server Attack

/dev/null
Type: Brute Force
Protocol: POP3
OS: Linux 3.6.11+ armv6l
Platform: Pi Rev. B
Memory: 512M
Daemon: Dovecot 2.1.7-7
Backend Daemon: MySQL 5.5
Backend OS: Linux 2.6.32-5-amd64
Backend Platform: Generic AMD A4-3400 APU Dual Core
Backend Memory: 3.5G
Total Attempts: 13356
Avg. Attempt/s: 2.71

Postmortem:
67.136.48.186 was *unable* to successfully authenticate to any valid user.
Attack was mitigated at the firewall (DROP).
abuse@integratelecom.com was contacted about this event.

Further Information:
Fail2ban did not detect the attack, research ongoing.
Fail2ban's ability to check logging may have been overwhelmed.
All logging is done remotely, no local logging occurs.
The RPI handled the traffic/load well, never swapped.

Log Excerpt:

Feb 22 18:14:05 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:12 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:24 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:26 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:27 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:28 hcpi004 dovecot: auth-worker(8400): sql(spam,67.136.48.186): unknown user
Feb 22 18:14:40 hcpi004 dovecot: auth-worker(8400): sql(administrator,67.136.48.186): unknown user
Feb 22 18:14:43 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user

*SNIP*

Feb 22 19:35:23 hcpi004 dovecot: auth-worker(25283): sql(bridgette,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(danielle,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(coach,67.136.48.186): unknown user
Feb 22 19:36:39 hcpi004 dovecot: auth-worker(26746): sql(chuck,67.136.48.186): unknown user
Feb 22 19:36:43 hcpi004 dovecot: auth-worker(26746): sql(bryson,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(denise,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(dev,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(bridget,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dominic,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dakota,67.136.48.186): unknown user

Hits: 5