| Linode Forum https://forum.linode.com/ |
|
| Cracking attempt https://forum.linode.com/viewtopic.php?f=11&t=5131 |
Page 1 of 1 |
| Author: | node_tux [ Fri Jan 29, 2010 1:40 pm ] |
| Post subject: | Cracking attempt |
I've had an attempt at cracking my mail server. Any idea why I'm not seeing an IP on these messages? dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=abc123 rhost= |
|
| Author: | thomasl [ Mon Feb 15, 2010 12:20 pm ] |
| Post subject: | |
People try to crack my email about once every minute or so. It's annoying, and adds to the log file length. What to worry about is if someone actually succeeds at it. No crack, no worries. I'm looking at a ruby on rails replacement for squirrelmail that will alert a user to the last login time and ip address, so these things can be avoided. Using the linux way, no notices for failed crack attempts. |
|
| Author: | skavoovie [ Mon Mar 01, 2010 8:08 pm ] |
| Post subject: | |
Had the exact same problem, and it was driving me crazy. I even went as far as to add iptables and ip6tables rules to log every packet destined for POP/s, IMAP/s, for both IPv4 and IPv6. Research on Dovecot mailing list & documentation was no help. Research via the Dovecot IRC channel was also not any help. After I saw another wave of crack attempts with ZERO iptables loggings, it occurred to me what was going on -- these weren't POP/IMAP crack attempts, the cracker was coming via SMTP-Auth attempts! Postfix + Dovecot + SASLauthd w/ TLS encryption, Postfix relying upon Dovecot/SASLauthd for the passthrough authentication. Some quick research revealed that some of Dovecot's very poorly named variables were causing the SMTP-Auth attempts to not get logged AT ALL. Enable these two "debugging" variables, and you should see the auth attempts with the missing source IPs logged properly. Depending on your environment, you will see it logged with your Postfix logs, your sasl/authentication logs, or your Dovecot logs. That all depends on how you have syslog configured. auth_verbose = yes verbose_ssl = yes The one I was missing was 'verbose_ssl'. Once I enabled this and restarted Dovecot, SMTP-Authentications -- success and failures, WITH source IP, were now being logged properly. Depending on the version of Dovecot & setup, you may have to correlate logs from more than one location to determine the source IP & attempted username. Hope this helps! |
|
| Author: | mstarks01 [ Thu Mar 11, 2010 11:03 am ] |
| Post subject: | Re: Cracking attempt |
node_tux wrote: I've had an attempt at cracking my mail server. Any idea why I'm not seeing an IP on these messages?
dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=abc123 rhost= I added the Dovecot support to OSSEC. The active response feature will stop these after just a few attempts. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|