[Dovecot] What are they trying to do here?
Jon Slater
jon.slater at mesanetworks.net
Wed May 30 18:10:17 EEST 2007
Hi!
I’m new to the list, and I’m not really having a ‘problem’, but I’m seeing
something in my log files that I wonder if I should be concerned.
I’ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel
2.6.17-1.2142_FC4) machine from quite some time.
For the last few days, I’ve been seeing this in my daily ‘Logwatch’ e-mail:
dovecot:
Authentication Failures:
rhost= : 139 Time(s)
root: 13 Time(s)
Unknown Entries:
check pass; user unknown: 139 Time(s)
So it looks pretty obvious that someone (using root and an assortment of
other login names) is trying to access by dovecot server.
My first ‘issue’ is I can’t find a log file anywhere that tells me the IP
address of the attacker. I see a series of ‘authentication failure’
messages in my /log/messages file:
May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: check pass; user
unknown
May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=
May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: check pass; user
unknown
May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=
But I don’t find anything in any other log files to indicate where this is
coming from.
Secondly, I’m wondering if I have anything to be concerned about.
Thanks in advance for you help!
Jon
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.3/824 - Release Date: 5/29/2007
1:01 PM
More information about the dovecot
mailing list