Hi,
I find some times strange logs in logwatch mail especially under the pam
field
--------------------- pam_unix Begin ------------------------
dovecot:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= :
17784 Time(s)
check pass; user unknown: 17784 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=mail: 320 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=mysql: 304 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=postgres: 280 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=apache: 264 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=root: 264 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=ftp: 248 Time(s)
bad username []: 32 Time(s)
/var/log/messages
Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: check pass; user unknown
Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=
Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: check pass; user unknown
Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=
I could see that its some kind of brute force attack. The question is
why dont i see the remote host IP address here ? All other services
shows the remote host ip except dovecot. The remote host ip is not
present even in the /var/log/messages file
Am i missing some option which would show me the remote host IP ? or
dovecot in general doesnt log remote host ip or is it some specially
crafted packet like the stealth scanning in nmap ?
Any help on this issue would be much appreciated.
--
Regards,
Mohan.