Hi, I find some times strange logs in logwatch mail especially under the pam field --------------------- pam_unix Begin ------------------------ dovecot: Unknown Entries: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 17784 Time(s) check pass; user unknown: 17784 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=mail: 320 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=mysql: 304 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=postgres: 280 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=apache: 264 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root: 264 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=ftp: 248 Time(s) bad username []: 32 Time(s) /var/log/messages Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: check pass; user unknown Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: check pass; user unknown Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= I could see that its some kind of brute force attack. The question is why dont i see the remote host IP address here ? All other services shows the remote host ip except dovecot. The remote host ip is not present even in the /var/log/messages file Am i missing some option which would show me the remote host IP ? or dovecot in general doesnt log remote host ip or is it some specially crafted packet like the stealth scanning in nmap ? Any help on this issue would be much appreciated. -- Regards, Mohan.