Re: [Dovecot] auth trouble
Glenn English writes:
I'm getting a lot of what I think is a local socket asking dovecot:auth to verify username/passwords:
May 31 09:00:54 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost=
If dovecot-auth is getting input from a local socket, then rhost information is irrelevant since the host doing the asking is the server itself (maybe from another daemon connected to a remote host).
Maybe someone is brute forcing your server's Postfix authenticated SMTP service since Postfix can be configured to use Dovecot's SASL authentication framework.
Joseph Tam jtam.home@gmail.com
On Jun 4, 2012, at 8:45 PM, Joseph Tam wrote:
If dovecot-auth is getting input from a local socket, then rhost information is irrelevant since the host doing the asking is the server itself (maybe from another daemon connected to a remote host).
Thanks for the confirmation of my suspicions....
Maybe someone is brute forcing your server's Postfix authenticated SMTP service since Postfix can be configured to use Dovecot's SASL authentication framework.
and for the suggestion -- I do have Postfix using Dovecot-Auth checking for SASL.
I think I'm going to re-install and run Tripwire...
-- Glenn English hand-wrapped from my Apple Mail
On Tue, Jun 05, 2012 at 09:38:49AM -0600, Glenn English wrote:
On Jun 4, 2012, at 8:45 PM, Joseph Tam wrote:
If dovecot-auth is getting input from a local socket, then rhost information is irrelevant since the host doing the asking is the server itself (maybe from another daemon connected to a remote host).
Thanks for the confirmation of my suspicions....
What suspicions were confirmed?
Maybe someone is brute forcing your server's Postfix authenticated SMTP service since Postfix can be configured to use Dovecot's SASL authentication framework.
And these brute force attempts would be logged, each one.
and for the suggestion -- I do have Postfix using Dovecot-Auth checking for SASL.
I think I'm going to re-install and run Tripwire...
I think you are overreacting.
http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
On Jun 5, 2012, at 3:53 PM, /dev/rob0 wrote:
What suspicions were confirmed?
At first I thought that somebody was TCP'ing in and somehow turning off the remote IP in the log so I couldn't block it. Then an answer from another mailing list, and a little thinking, made it occur to me that maybe my server had been penetrated.
And these brute force attempts would be logged, each one.
They are, with no rhost. And there are other brute force attempts that *do* have IPs.
I think you are overreacting.
I really hope so. What's your thinking? Have you seen this before? And most important: what is it, how does it work, and how do I get rid of it and keep it from coming back?
-- Glenn English hand-wrapped from my Apple Mail
On 6.6.2012, at 2.08, Glenn English wrote:
And these brute force attempts would be logged, each one.
They are, with no rhost. And there are other brute force attempts that *do* have IPs.
I think the answer to this is simply that Dovecot v1.0 didn't tell PAM the rhost. Upgrade.
On Jun 8, 2012, at 10:25 AM, Timo Sirainen wrote:
I think the answer to this is simply that Dovecot v1.0 didn't tell PAM the rhost. Upgrade.
Will do. What you say fits with what I see in the logs and is a lot simpler than many other suggestions. And you do have some credibility in this area :-)
Thanks.
-- Glenn English hand-wrapped from my Apple Mail
participants (4)
-
/dev/rob0
-
Glenn English
-
Joseph Tam
-
Timo Sirainen