[Dovecot] Logging IP address for failed login

Scott Neville dovecot-in at keystealth.org
Mon Oct 1 23:36:25 EEST 2012 

Hi,

I am trying to use the logs to show the IP that brute force activity comes from, but Im not succeeding. I have read the archives and seen the advice others have had. I can see logs for repeated bad logins, but I need the IP address from the attempts.

dovecot 2.0.12 / CentOS 5.4 / imaps only (993)

I have tried a bunch of different combinations of 10-logging.conf settings. This is what I have currently (that does not work the way I want):

auth_verbose = yes
#auth_verbose_passwords = no
#auth_debug = yes
#auth_debug_passwords = no
#mail_debug = no

I *dont* want to see the passwords, either failed or successful. I just want to see failed logins for whatever reason and the IP they came from.

In /var/log/maillog I get lines like this:
Oct  1 04:19:12 olive dovecot: auth: pam(marketing): unknown user
Oct  1 04:19:17 olive dovecot: auth: pam(marketing): unknown user

When i had debugging turned on, I would get lines like this:

Sep  9 01:14:59 olive dovecot: auth: Debug: passwd(dbelan,62.128.300.94): lookup

but only for successful logins. The brute force attempts dont log like that:

Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1 msg=Password:
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1 msg=Password:
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1 msg=Password:
Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user

No IP anywhere in that.

fail2ban seems to rely on the pop-login or imap-login lines to pull the IP from. I get an imap-login for my real logins:

Oct  1 12:38:56 olive dovecot: imap-login: Login: user=<dbelan>, method=PLAIN, rip=62.128.300.94, lip=204.152.189.165, mpid=20360, TLS

but no similar line for the failed logins.

So is this a dovecot logging configuration combination I need to find? Is it getting lost in pam? Is it specific to CentOS?

Any help appreciated - happy to read up on it myself, but would need a pointer, since the docs so far either assume I get an imap-login line for failed logins which I dont, or they assume I just want to see the repeated attempts/passwords.


Scott.

More information about the dovecot mailing list