Hi!
I’m new to the list, and I’m not really having a ‘problem’, but I’m seeing something in my log files that I wonder if I should be concerned.
I’ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel 2.6.17-1.2142_FC4) machine from quite some time.
For the last few days, I’ve been seeing this in my daily ‘Logwatch’ e-mail:
dovecot:
Authentication Failures:
rhost= : 139 Time(s)
root: 13 Time(s)
Unknown Entries:
check pass; user unknown: 139 Time(s)So it looks pretty obvious that someone (using root and an assortment of other login names) is trying to access by dovecot server.
My first ‘issue’ is I can’t find a log file anywhere that tells me the IP address of the attacker. I see a series of ‘authentication failure’ messages in my /log/messages file:
May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: check pass; user unknown
May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: check pass; user unknown
May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
But I don’t find anything in any other log files to indicate where this is coming from.
Secondly, I’m wondering if I have anything to be concerned about.
Thanks in advance for you help!
Jon
No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.8.3/824 - Release Date: 5/29/2007 1:01 PM