Hi,
I find some times strange logs in logwatch mail especially under the pam field
--------------------- pam_unix Begin ------------------------
dovecot: Unknown Entries: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 17784 Time(s) check pass; user unknown: 17784 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=mail: 320 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=mysql: 304 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=postgres: 280 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=apache: 264 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root: 264 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=ftp: 248 Time(s) bad username []: 32 Time(s)
/var/log/messages
Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: check pass; user unknown Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: check pass; user unknown Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
I could see that its some kind of brute force attack. The question is why dont i see the remote host IP address here ? All other services shows the remote host ip except dovecot. The remote host ip is not present even in the /var/log/messages file
Am i missing some option which would show me the remote host IP ? or dovecot in general doesnt log remote host ip or is it some specially crafted packet like the stealth scanning in nmap ?
Any help on this issue would be much appreciated.
--
Regards,
Mohan.