On Wed, 2007-05-30 at 09:10 -0600, Jon Slater wrote:
I’ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel 2.6.17-1.2142_FC4) machine from quite some time.
Note that 0.99 is several years old already and it's not really supported anymore.
So it looks pretty obvious that someone (using root and an assortment of other login names) is trying to access by dovecot server.
My first ‘issue’ is I can’t find a log file anywhere that tells me the IP address of the attacker. I see a series of ‘authentication failure’ messages in my /log/messages file:
May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
You're using PAM. Unfortunately it doesn't really give any better messages. You could find out the IP by finding "Aborted login" messages from Dovecot near the same timestamp. They're most likely in /var/log/maillog or something similar.
You could also set auth_verbose=yes in dovecot.conf. After that Dovecot will also log the authentication failures (at least v1.0 does, I don't remember if v0.99 had that setting) so it's easier to find the IP.
Secondly, I’m wondering if I have anything to be concerned about.
Probably just some random attacks.