auth-worker doesn't systematically log the IP
Dear list,
look at this grep auth-worker | nl output from my dovecot log :
166 Jul 22 15:49:47 auth-worker(24409): Info: sql(hakim.boukhadra@domain.tld): unknown user
167 Jul 22 15:49:47 auth-worker(13026): Info: sql(prtg@domain.tld): unknown user
168 Jul 22 15:53:00 auth-worker(13026): Info: sql(feriel.abbas@domain.tld,10.10.10.19): Password mismatch
169 Jul 22 15:53:15 auth-worker(13026): Info: sql(feriel.abbas@domain.tld,10.10.10.19): Password mismatch
170 Jul 22 15:55:26 auth-worker(13026): Info: sql(it_sys@domain.tld): unknown user
171 Jul 22 15:59:30 auth-worker(13026): Info: sql(radioaintemouchent.domain.tld,10.10.10.19): unknown user
172 Jul 22 15:59:43 auth-worker(13026): Info: sql(mouadoussama@radioalgerie.dz): unknown user
173 Jul 22 16:00:38 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
174 Jul 22 16:00:58 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
175 Jul 22 16:02:01 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
176 Jul 22 16:09:35 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
177 Jul 22 16:09:42 auth-worker(13026): Info: sql(prtg@domain.tld): unknown user
178 Jul 22 16:10:11 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
179 Jul 22 16:15:37 auth-worker(13026): Info: sql(it_sys@domain.tld): unknown user
180 Jul 22 16:26:55 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
181 Jul 22 16:32:01 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user
182 Jul 22 16:35:37 auth-worker(19555): Info: sql(it_sys@domain.tld): unknown user
As you can see, sometimes the IP addresses of the dubious login attempts are noted, other times this crucial piece of evidence is conspicuously absent.
I am wondering what is the source of all those login attempts? or could those be mere username lookups instead to test for mail deliverability?
Many thanks,
-- yassine -- sysadm +213-779 06 06 23 http://about.me/ychaouche Looking for side gigs.
On 22/07/2024 19:14 EEST Yassine Chaouche via dovecot <dovecot@dovecot.org> wrote:
Dear list,
look at this grep auth-worker | nl output from my dovecot log :
166 Jul 22 15:49:47 auth-worker(24409): Info: sql(hakim.boukhadra@domain.tld): unknown user 167 Jul 22 15:49:47 auth-worker(13026): Info: sql(prtg@domain.tld): unknown user 168 Jul 22 15:53:00 auth-worker(13026): Info: sql(feriel.abbas@domain.tld,10.10.10.19): Password mismatch 169 Jul 22 15:53:15 auth-worker(13026): Info: sql(feriel.abbas@domain.tld,10.10.10.19): Password mismatch 170 Jul 22 15:55:26 auth-worker(13026): Info: sql(it_sys@domain.tld): unknown user 171 Jul 22 15:59:30 auth-worker(13026): Info: sql(radioaintemouchent.domain.tld,10.10.10.19): unknown user 172 Jul 22 15:59:43 auth-worker(13026): Info: sql(mouadoussama@radioalgerie.dz): unknown user 173 Jul 22 16:00:38 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 174 Jul 22 16:00:58 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 175 Jul 22 16:02:01 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 176 Jul 22 16:09:35 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 177 Jul 22 16:09:42 auth-worker(13026): Info: sql(prtg@domain.tld): unknown user 178 Jul 22 16:10:11 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 179 Jul 22 16:15:37 auth-worker(13026): Info: sql(it_sys@domain.tld): unknown user 180 Jul 22 16:26:55 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 181 Jul 22 16:32:01 auth-worker(13026): Info: sql(it_mam@domain.tld): unknown user 182 Jul 22 16:35:37 auth-worker(19555): Info: sql(it_sys@domain.tld): unknown user
As you can see, sometimes the IP addresses of the dubious login attempts are noted, other times this crucial piece of evidence is conspicuously absent.
I am wondering what is the source of all those login attempts? or could those be mere username lookups instead to test for mail deliverability?
Many thanks,
-- yassine -- sysadm
You would probably want to use the new event based system for these logs:
event_exporter log { format = json format_args = time-rfc3339 transport = log }
metric auth_failed { event=filter=auth_request_finished and not success=yes exporter=log }
Aki
Le 7/22/24 à 18:53, Aki Tuomi via dovecot a écrit :
You would probably want to use the new event based system for these logs:
event_exporter log { format = json format_args = time-rfc3339 transport = log }
metric auth_failed { event=filter=auth_request_finished and not success=yes exporter=log }
Aki
Many thanks for the suggestion Aki.
Best,
-- yassine -- sysadm +213-779 06 06 23 http://about.me/ychaouche Looking for side gigs.
participants (2)
-
Aki Tuomi
-
Yassine Chaouche