[CentOS] Logwatch - Dovecot logs

Mohan mk at nerdplanet.co.uk
Mon Dec 8 15:52:47 UTC 2008


Hi,

I find some times strange logs in logwatch mail especially under the pam 
field

 --------------------- pam_unix Begin ------------------------

dovecot:
   Unknown Entries:
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 
17784 Time(s)
      check pass; user unknown: 17784 Time(s)
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
user=mail: 320 Time(s)
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
user=mysql: 304 Time(s)
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
user=postgres: 280 Time(s)
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
user=apache: 264 Time(s)
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
user=root: 264 Time(s)
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
user=ftp: 248 Time(s)
      bad username []: 32 Time(s)

/var/log/messages

Dec  6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: check pass; user unknown
Dec  6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=
Dec  6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: check pass; user unknown
Dec  6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=



I could see that its some kind of brute force attack.  The question is 
why dont i see the remote host IP address here ? All other services 
shows the remote host ip  except dovecot. The remote host ip is not 
present even in the /var/log/messages file

Am i missing some option which would show me the remote host IP ? or 
dovecot in general doesnt log remote host ip  or is it some specially 
crafted packet like the stealth scanning  in nmap ?

Any help on this issue would be much appreciated.

--

Regards,

Mohan.


More information about the CentOS mailing list