[Dovecot] Authentication failure messages in logs
Hello,
I'm currently running dovecot on a debian stable and every day, I see this message dozens of time in my logs :
Mar 16 11:27:57 hector dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nicolas rhost=72.53.129.223 user=nicolas
on the list archive, this message for example tells to comment out the pam section. http://www.dovecot.org/list/dovecot/2008-July/031966.html Except that my authentication needs pam...
Is there any way to solve this without migrating to virtual users ?
Thanks in advance
Here is my dovecot -n output :
# 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 3.2.13-grsec-xxxx-grs-ipv6-64 x86_64 Debian 6.0.7 protocols: imap imaps managesieve sieve ssl_listen(default): *:993 ssl_listen(imap): *:993 ssl_listen(managesieve): ssl_cert_file: /etc/ssl/localcerts/dovecot.pem ssl_key_file: /etc/ssl/localcerts/dovecot.key login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(managesieve): /usr/lib/dovecot/managesieve-login mail_privileged_group: mail mail_location: maildir:~/Maildir mbox_write_locks: fcntl dotlock mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(managesieve): /usr/lib/dovecot/managesieve mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve lda: postmaster_address: postmaster@babelouest.org mail_plugins: sieve mail_plugin_dir: /usr/lib/dovecot/modules/lda sieve_dir: ~/ auth default: mechanisms: plain login passdb: driver: pam args: dovecot userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 plugin: sieve: ~/.dovecot.sieve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 16 Mar 2013, Nicolas Mora wrote:
I'm currently running dovecot on a debian stable and every day, I see this message dozens of time in my logs :
Mar 16 11:27:57 hector dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nicolas rhost=72.53.129.223 user=nicolas
on the list archive, this message for example tells to comment out the pam section. http://www.dovecot.org/list/dovecot/2008-July/031966.html Except that my authentication needs pam...
Is there any way to solve this without migrating to virtual users ?
passdb: driver: pam args: dovecot
Well, you seem to use just one passdb. The article you are referring to says "the first try is always empty username and password so it slows down terribly every action.".
So to clarify your situation a bit:
- Did you enabled auth_debug? If not, do so for a day or two.
- Do you see in the logs, if more than one database is queried for one login process. If not, the article does not match your situation.
- Is "nicolas" a valid user? Are all users with authentication failure valid ones?
- When you login _yourself_ manually (not with a cached password in Thunderbird), do you see that log message, too? If you are unsure, if you can login without a cached password, try to ssh to your server, then
telnet localhost 143 1 login "username" "password" 2 logout
- Did you considered, your server is under (slow) attack?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUUchIl3r2wJMiz2NAQKDWAgAgLLfmE6vbhIHoIYUv9xDhTG5ZdoqsQZk 8KKxmxXJ+XvHWAGzZ2hucIXMIfcUduZTPePCcXlz4CcjY4oklSx7z3H/hWleaWF4 v5WWxy8rismYeBwnGULWnUbWmO/XcbZ5EBdraLteL3eXQfSapwsp6EY8sgqSag44 yyrLWBHCPha2+7TSkgon7VOjRxnMoVhaQTSUi7S+rhsqjDA8NUMRf9aXZ32XeZzF L7t4W86qxMO+oUwo2dCLXyQ8w8NsuBxWcjsLFdyoB1u9pnCuAIZ905wN5Qcam4fm egTZfY08tCUFln4B7FzWi4cRp4x2aAwbBNOhOpfElMEKrB6yv3V6pw== =0oaK -----END PGP SIGNATURE-----
Le 18/03/2013 10:13, Steffen Kaiser a écrit :
Well, you seem to use just one passdb. The article you are referring to says "the first try is always empty username and password so it slows down terribly every action.".
Yes, sorry, I may have messed up with the links...
In fact, I may have been wrong from the beginning because the problem seems not to come from dovecot but higher in the auth process, probably PAM...
Sorry for the silly question.
participants (2)
-
Nicolas Mora
-
Steffen Kaiser