[Dovecot] What are they trying to do here?
Hi!
I’m new to the list, and I’m not really having a ‘problem’, but I’m seeing something in my log files that I wonder if I should be concerned.
I’ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel 2.6.17-1.2142_FC4) machine from quite some time.
For the last few days, I’ve been seeing this in my daily ‘Logwatch’ e-mail:
dovecot:
Authentication Failures:
rhost= : 139 Time(s)
root: 13 Time(s)
Unknown Entries:
check pass; user unknown: 139 Time(s)So it looks pretty obvious that someone (using root and an assortment of other login names) is trying to access by dovecot server.
My first ‘issue’ is I can’t find a log file anywhere that tells me the IP address of the attacker. I see a series of ‘authentication failure’ messages in my /log/messages file:
May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: check pass; user unknown
May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: check pass; user unknown
May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
But I don’t find anything in any other log files to indicate where this is coming from.
Secondly, I’m wondering if I have anything to be concerned about.
Thanks in advance for you help!
Jon
No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.8.3/824 - Release Date: 5/29/2007 1:01 PM
On Wed, 2007-05-30 at 09:10 -0600, Jon Slater wrote:
I’ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel 2.6.17-1.2142_FC4) machine from quite some time.
Note that 0.99 is several years old already and it's not really supported anymore.
So it looks pretty obvious that someone (using root and an assortment of other login names) is trying to access by dovecot server.
My first ‘issue’ is I can’t find a log file anywhere that tells me the IP address of the attacker. I see a series of ‘authentication failure’ messages in my /log/messages file:
May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
You're using PAM. Unfortunately it doesn't really give any better messages. You could find out the IP by finding "Aborted login" messages from Dovecot near the same timestamp. They're most likely in /var/log/maillog or something similar.
You could also set auth_verbose=yes in dovecot.conf. After that Dovecot will also log the authentication failures (at least v1.0 does, I don't remember if v0.99 had that setting) so it's easier to find the IP.
Secondly, I’m wondering if I have anything to be concerned about.
Probably just some random attacks.
participants (2)
-
Jon Slater
-
Timo Sirainen