[tpop3d-discuss]Hackers using tpop3d to brute passwords

Nate nm_list at visp.net
Mon, 18 Dec 2006 09:55:06 -0800


A new issues has arisen with our use of tpop3d.  Bear in mind this is 
not a bug report but rather an annoyance that I'm hoping someone has 
solved, and if not, perhaps as a community we can come up with a 
useful solution.

I earlier reported that my tpop3d blows up for no apparent reason at 
times.  It happened a couple times this weekend as well and turned 
out with thorough analysis of the logs it is someone trying to brute 
force passwords.  They just keep trying and trying with different 
usernames and passwords until they break one.

I'm not currently seeing any existing support to prevent this.  I've 
seen in other applications settings or internals which once an IP has 
had 3 simultaneous failures, it blocks it for 5 minutes.  Other 
variations exist, but in an attempt to make brute forcing not worth 
it for the hacker.

Any patches out there for tpop3d to accomplish this?  Any other 
thoughts?  I have an idea to just write a log watcher to watch for 
failures and upon a certain rule set apply iptables filters to block 
them; however, I think this could be much better handled within tpop3d.

Thanks,

- Nate