22 Jul
2024
22 Jul
'24
7:14 p.m.
Dear list,
look at this grep auth-worker | nl output from my dovecot log :
166 Jul 22 15:49:47 auth-worker(24409): Info: sql(hakim.boukhadra@domain.tld): unknown user
167 Jul 22 15:49:47 auth-worker(13026): Info: sql(prtg@domain.tld): unknown user
168 Jul 22 15:53:00 auth-worker(13026): Info: sql(feriel.abbas@domain.tld,10.10.10.19): Password mismatch
169 Jul 22 15:53:15 auth-worker(13026): Info: sql(feriel.abbas@domain.tld,10.10.10.19): Password mismatch
170 Jul 22 15:55:26 auth-worker(13026): Info: sql(it_sys@domain.tld): unknown user
171 Jul 22 15:59:30 auth-worker(13026): Info: sql(radioaintemouchent.domain.tld,10.10.10.19): unknown user
172 Jul 22 15:59:43 auth-worker(13026): Info: sql(mouadoussama@radioalgerie.dz): unknown user
173 Jul 22 16:00:38 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
174 Jul 22 16:00:58 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
175 Jul 22 16:02:01 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
176 Jul 22 16:09:35 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
177 Jul 22 16:09:42 auth-worker(13026): Info: sql(prtg@domain.tld): unknown user
178 Jul 22 16:10:11 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
179 Jul 22 16:15:37 auth-worker(13026): Info: sql(it_sys@domain.tld): unknown user
180 Jul 22 16:26:55 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
181 Jul 22 16:32:01 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
182 Jul 22 16:35:37 auth-worker(19555): Info: sql(it_sys@domain.tld): unknown user
As you can see, sometimes the IP addresses of the dubious login attempts are noted, other times this crucial piece of evidence is conspicuously absent.
I am wondering what is the source of all those login attempts? or could those be mere username lookups instead to test for mail deliverability?
Many thanks,
-- yassine -- sysadm +213-779 06 06 23 http://about.me/ychaouche Looking for side gigs.