Huge increase of Dovecot Brute Force

hello-electro

Member
Aug 9, 2016
17
1
3
Maryland
cPanel Access Level
Root Administrator
Anyone else getting bruteforce notices against dovecot? I am up to about 1 per 3 minute. Its coming from a botnet, so no way for me to just block a single IP. There is only a minor mention of a timing vulnerability that i can find online. Is cPanel folks aware of this, or have any suggestions to ensure the bruteforce doesn't lead to a successful comprimise?
 

BlackRain

Well-Known Member
May 28, 2003
51
0
156
USA
cPanel Access Level
Root Administrator
Yep. I have noticed the same activity from IP's all over the world trying to brute force Dovecot credentials. There must be an exploit in the wild. Have not seen any notice from Cpanel about this issue.
 

hello-electro

Member
Aug 9, 2016
17
1
3
Maryland
cPanel Access Level
Root Administrator
I have a link to what may be a known exploit (nothing I discovered), though its a few weeks old at this point, so the attempts may just be residual at this point. I'm going to send the cPanel folks a support ticket with it.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
I have a link to what may be a known exploit (nothing I discovered), though its a few weeks old at this point, so the attempts may just be residual at this point. I'm going to send the cPanel folks a support ticket with it.
Hello,

Internal case CPANEL-12790 was opened to inquire about that specific vulnerability. We'll update the version of Dovecot offered through cPanel with any security-related patches once Dovecot publishes them upstream.

In addition to using cPHulk, you may also want to consider using a third-party application such as CSF to help protect against brute force attempts:

ConfigServer Security & Firewall (csf)

Thank you.
 

BlackRain

Well-Known Member
May 28, 2003
51
0
156
USA
cPanel Access Level
Root Administrator
Already use CPHulk and CSF, yet we are getting hundreds of Dovecot brute forces attempts (mostly from China and dubious EU server farms).

We have black listed those IP ranges yet new ones keep popping up.

We don't use any server side email so it's a wasted attempt on their part.

So that leads me to believe there is an exploit out there.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hey ,
Any update on this yet ?
Hello,

The particular vulnerability referenced earlier in this thread is addressed by Dovecot in Dovecot 2.2.30:

* auth: Use timing safe comparisons for everything related to
passwords. It's unlikely that these could have been used for
practical attacks, especially because Dovecot delays and flushes all
failed authentications in 2 second intervals. Also it could have
worked only when passwords were stored in plaintext in the passdb.
Internal case CPANEL-13448 is open for the inclusion of this version of Dovecot into cPanel & WHM. I'll update this thread with more information on the status of this case as it becomes available.

Thank you.

Edit: Dovecot 2.2.31 is now included with cPanel version 66:

Implemented case CPANEL-14248: Update dovecot to 2.2.31-1.cp1162.
 
Last edited: