[Dovecot] What are they trying to do here?

Jon Slater jon.slater at mesanetworks.net
Wed May 30 18:10:17 EEST 2007


Hi!

 

I’m new to the list, and I’m not really having a ‘problem’, but I’m seeing
something in my log files that I wonder if I should be concerned.

 

I’ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel
2.6.17-1.2142_FC4) machine from quite some time.

 

For the last few days, I’ve been seeing this in my daily ‘Logwatch’ e-mail:

dovecot:

    Authentication Failures:

        rhost= : 139 Time(s)

       root: 13 Time(s)

    Unknown Entries:

       check pass; user unknown: 139 Time(s)

 

So it looks pretty obvious that someone (using root and an assortment of
other login names) is trying to access by dovecot server.

 

My first ‘issue’ is I can’t find a log file anywhere that tells me the IP
address of the attacker.  I see a series of ‘authentication failure’
messages in my /log/messages file:

 

May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root

May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: check pass; user
unknown

May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost= 

May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: check pass; user
unknown

May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=

 

But I don’t find anything in any other log files to indicate where this is
coming from.

 

Secondly, I’m wondering if I have anything to be concerned about.

 

Thanks in advance for you help!

 

Jon


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.3/824 - Release Date: 5/29/2007
1:01 PM
 


More information about the dovecot mailing list