[Dovecot] Logging IP address for failed login
Hi,
I am trying to use the logs to show the IP that brute force activity comes from, but Im not succeeding. I have read the archives and seen the advice others have had. I can see logs for repeated bad logins, but I need the IP address from the attempts.
dovecot 2.0.12 / CentOS 5.4 / imaps only (993)
I have tried a bunch of different combinations of 10-logging.conf settings. This is what I have currently (that does not work the way I want):
auth_verbose = yes #auth_verbose_passwords = no #auth_debug = yes #auth_debug_passwords = no #mail_debug = no
I *dont* want to see the passwords, either failed or successful. I just want to see failed logins for whatever reason and the IP they came from.
In /var/log/maillog I get lines like this: Oct 1 04:19:12 olive dovecot: auth: pam(marketing): unknown user Oct 1 04:19:17 olive dovecot: auth: pam(marketing): unknown user
When i had debugging turned on, I would get lines like this:
Sep 9 01:14:59 olive dovecot: auth: Debug: passwd(dbelan,62.128.300.94): lookup
but only for successful logins. The brute force attempts dont log like that:
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1 msg=Password: Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1 msg=Password: Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1 msg=Password: Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user
No IP anywhere in that.
fail2ban seems to rely on the pop-login or imap-login lines to pull the IP from. I get an imap-login for my real logins:
Oct 1 12:38:56 olive dovecot: imap-login: Login: user=<dbelan>, method=PLAIN, rip=62.128.300.94, lip=204.152.189.165, mpid=20360, TLS
but no similar line for the failed logins.
So is this a dovecot logging configuration combination I need to find? Is it getting lost in pam? Is it specific to CentOS?
Any help appreciated - happy to read up on it myself, but would need a pointer, since the docs so far either assume I get an imap-login line for failed logins which I dont, or they assume I just want to see the repeated attempts/passwords.
Scott.
On 10/1/2012 3:36 PM, Scott Neville wrote:
In /var/log/maillog I get lines like this: Oct 1 04:19:12 olive dovecot: auth: pam(marketing): unknown user Oct 1 04:19:17 olive dovecot: auth: pam(marketing): unknown user
I'm guessing you are using a centos package. This may be package version specific.
Here is RHEL6's dovecot 2.0.9 default except for setting auth_verbose = yes.
Sep 28 21:12:10 compiler dovecot: auth: pam(test,::1): unknown user Sep 28 21:12:24 compiler dovecot: auth: pam(validuser,::1): pam_authenticate() failed: Authentication failure (password mismatch?)
2.1.9/2.1.10 which I packaged shows similar.
Since I connected localhost, the IP is IPv6, of course.
Jack
participants (2)
-
Jack Bates
-
Scott Neville