Hi,
I find some times strange logs in logwatch mail especially under the pam field
--------------------- pam_unix Begin ------------------------
dovecot: Unknown Entries: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 17784 Time(s) check pass; user unknown: 17784 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=mail: 320 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=mysql: 304 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=postgres: 280 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=apache: 264 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root: 264 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=ftp: 248 Time(s) bad username []: 32 Time(s)
/var/log/messages
Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: check pass; user unknown Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: check pass; user unknown Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
I could see that its some kind of brute force attack. The question is why dont i see the remote host IP address here ? All other services shows the remote host ip except dovecot. The remote host ip is not present even in the /var/log/messages file
Am i missing some option which would show me the remote host IP ? or dovecot in general doesnt log remote host ip or is it some specially crafted packet like the stealth scanning in nmap ?
Any help on this issue would be much appreciated.
--
Regards,
Mohan.
On Mon, Dec 08, 2008, Mohan wrote:
Hi,
I find some times strange logs in logwatch mail especially under the pam field
Perhaps somebody is trying a dictionary attack against the IMAP or POP server. Everybody knows to look for probes against sshd, but may forget that the crackers can also try to find working user accounts and passwords by probing the mail servers.
Bill
Mohan wrote on Mon, 08 Dec 2008 15:52:47 +0000:
The remote host ip is not present even in the /var/log/messages file
what about /var/log/secure?
Kai
Hi ,
dovecot doesnt log anything to /var/log/secure. its a default centos 4.4 installation. All dovecot messages are logged to /var/log/messages.
I tried connecting to the port 110 via telnet directly and typed user <random name> and pass <random pass> if the username exist it shows authentication failure in the log and report user=root for eg if i try as root. but if i try some username like idontexist in the logs user= shows blank. but in both the cases it didnt log the remote host IP address the rhost= remains blank.
How to make dovecot to log all connection attempts remote host ip address.
Regards,
Mohan.
Kai Schaetzl wrote:
Mohan wrote on Mon, 08 Dec 2008 15:52:47 +0000:
The remote host ip is not present even in the /var/log/messages file
what about /var/log/secure?
Kai
Mohan wrote on Tue, 09 Dec 2008 12:10:43 +0000:
dovecot doesnt log anything to /var/log/secure. its a default centos 4.4 installation. All dovecot messages are logged to /var/log/messages.
well, I see some going also to secure, those which fail. Maybe not on CentOS 4, though. But this kind of format is the same on CentoS 5. I'm not sure what this kind of login is but when I check myself I get
dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1
Look at the end. But I also see other failed logins (not from me) without the host. I think you should investigate further on the dovecot list.
Kai
-
Bill Campbell -
Kai Schaetzl -
Mohan