[Dovecot-de] Login-Versuche

Helmut Lichtenberg heli at tzv.fal.de
Do Aug 8 12:49:47 CEST 2013 

Hallo,
ich bekomme jetzt öfters mal einen Haufen von connect-Versuchen dieser Art:

Aug  8 11:02:49 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=190.8.44.74, lip=192.108.34.20, session=<sAYm7Gvj7wC+CCxK>
Aug  8 11:02:49 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=199.48.147.41, lip=192.108.34.20, session=<hVcc7GvjuwDHMJMp>
Aug  8 11:03:09 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=202.70.32.9, lip=192.108.34.20, session=<YbRR7WvjlgDKRiAJ>
Aug  8 11:04:09 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=120.194.242.92, lip=192.108.34.20, session=<XLjl8GvjxwB4wvJc>
Aug  8 11:04:19 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=24.183.232.214, lip=192.108.34.20, session=<IiZ+8WvjHAAYt+jW>
Aug  8 11:04:19 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=77.122.137.132, lip=192.108.34.20, session=<dx+B8WvjCwBNeomE>
Aug  8 11:04:42 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=77.122.137.132, lip=192.108.34.20, session=<cHva8mvjsQBNeomE>
Aug  8 11:04:44 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=120.194.242.92, lip=192.108.34.20, session=<icgA82vjswB4wvJc>
Aug  8 11:07:20 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=41.42.218.30, lip=192.108.34.20, session=<teRH/Gvj2AApKtoe>
Aug  8 11:08:03 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=123.201.213.84, lip=192.108.34.20, session=<7hTX/mvj+AB7ydVU>
Aug  8 11:08:12 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=24.210.239.227, lip=192.108.34.20, session=<CBxi/2vjqQAY0u/j>
Aug  8 11:08:39 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=123.110.209.209, lip=192.108.34.20, session=<a+AEAWzjIgB7btHR>
Aug  8 11:11:47 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=80.11.21.38, lip=192.108.34.20, session=<sAwsDGzj9QBQCxUm>
Aug  8 11:12:04 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=72.224.11.78, lip=192.108.34.20, session=<+UsyDWzjKABI4AtO>
Aug  8 11:12:41 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=202.70.32.9, lip=192.108.34.20, session=<P8ZuD2zjCADKRiAJ>
Aug  8 11:12:44 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=77.249.10.7, lip=192.108.34.20, session=<eViaD2zjiQBN+QoH>
Aug  8 11:13:13 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=123.201.189.242, lip=192.108.34.20, session=<VNxYEWzjZgB7yb3y>
Aug  8 11:34:02 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=123.110.209.209, lip=192.108.34.20, session=<NvPFW2zjHwB7btHR>
Aug  8 11:34:24 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=123.201.189.242, lip=192.108.34.20, session=<fEMUXWzjJgB7yb3y>
Aug  8 11:37:11 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth):
    user=<>, rip=190.8.44.74, lip=192.108.34.20, session=<twQOZ2zjjgC+CCxK>

Kann ich davon ausgehen, dass dies ein Angriff ist? Die vielen verschiedenen
IP-Adressen, z.T in sehr kurzen Zeitabständen, sprechen m.E. dafür.

Wenn dies so ist, kann/sollte ich etwas dagegen tun?
fail2ban ist installiert, spricht hierauf aber nicht an.

Viele Grüße
Helmut

-- 
-------------------------------------------------------------------------
Helmut Lichtenberg  <Helmut.Lichtenberg at fli.bund.de>  Tel.: 05034/871-128
Institut für Nutztiergenetik (FLI)         31535 Neustadt         Germany
-------------------------------------------------------------------------

Mehr Informationen über die Mailingliste Dovecot