[Dovecot] Authentication Error Message formats
I have been using UW's IMAP server and I am converting to Dovecot for Maildir support.
When a user fails authentication, or a user does not exist, it appears that the same message is used for these events.
Is there a way to indicate that the user does not exist (Invalid user), and authentication Failure (Failed Password)?
Clearly these two failures indicate a different error in the system. One that some forgot their password, the other indicates a dictionary attack.
Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant
ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*.
On 10/29/2008, Albert E. Whale (aewhale@ABS-CompTech.com) wrote:
When a user fails authentication, or a user does not exist, it appears that the same message is used for these events.
When asking for help, it is always a good idea to provide some basic info... in this case, sample log entries from failed events, and output of dovecot -n?
--
Best regards,
Charles
Charles Marcus wrote:
On 10/29/2008, Albert E. Whale (aewhale@ABS-CompTech.com) wrote:
When a user fails authentication, or a user does not exist, it appears that the same message is used for these events.
When asking for help, it is always a good idea to provide some basic info... in this case, sample log entries from failed events, and output of dovecot -n?
Thank Charles, my apologies.
Here is the Logging info:
Oct 29 09:43:12 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrel>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:15 192.168.50.5 dovecot: auth-worker(default): pam(darrel,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:17 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrel>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:20 192.168.50.5 dovecot: auth-worker(default): pam(darrel,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:22 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrel>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234
And my dovecot.conf is attached.
BTW, these entries are samples of invalid users.
-- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant
ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*.
ns6.ABS-CompTech.com root [/root] dovecot -n # 1.1.4: /etc/dovecot.conf base_dir: /var/run/dovecot/ protocols: imap pop3 ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_greeting: SpamZapper Email ready. mail_max_userip_connections(default): 10 mail_max_userip_connections(imap): 10 mail_max_userip_connections(pop3): 3 verbose_proctitle: yes mail_privileged_group: mail mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u mail_debug: yes mmap_disable: yes mail_nfs_storage: yes mail_nfs_index: yes lock_method: dotlock mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 pop3_uidl_format(default): %08Xu%08Xv pop3_uidl_format(imap): %08Xu%08Xv pop3_uidl_format(pop3): %08Xv%08Xu auth default: username_format: %Lu verbose: yes debug: yes passdb: driver: passwd-file args: /home/dovecot.passwd passdb: driver: pam userdb: driver: passwd-file args: /home/dovecot.passwd userdb: driver: passwd
On Wed, 2008-10-29 at 09:49 -0400, Albert E. Whale wrote:
I have been using UW's IMAP server and I am converting to Dovecot for Maildir support.
When a user fails authentication, or a user does not exist, it appears that the same message is used for these events.
Is there a way to indicate that the user does not exist (Invalid user), and authentication Failure (Failed Password)?
To user: no. In logs: yes, with auth_verbose=yes.
Timo Sirainen wrote:
On Wed, 2008-10-29 at 09:49 -0400, Albert E. Whale wrote:
I have been using UW's IMAP server and I am converting to Dovecot for Maildir support.
When a user fails authentication, or a user does not exist, it appears that the same message is used for these events.
Is there a way to indicate that the user does not exist (Invalid user), and authentication Failure (Failed Password)?
To user: no. In logs: yes, with auth_verbose=yes.
Timo, Thank you. I already have auth_verbose=yes.
Here is what I am seeing:
Oct 29 09:43:31 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:34 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:36 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:38 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:40 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234
These attempts to authenticate Darrin will not complete, as this is not a valid user. The IP Address 217.168.145.51 was cycling through 1364 attempts. I would like to identify this type of activity sooner, as this is not a valid user.
-- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant
ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*.
On Wed, 2008-10-29 at 11:17 -0400, Albert E. Whale wrote:
Oct 29 09:43:34 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure .. These attempts to authenticate Darrin will not complete, as this is not a valid user. The IP Address 217.168.145.51 was cycling through 1364 attempts. I would like to identify this type of activity sooner, as this is not a valid user.
OK, so you're using PAM. PAM doesn't tell Dovecot why the authentication failed. There are two possible solutions for your problem:
a) Look at PAM's own log (auth.log probably) instead. It probably tells the reason.
b) Don't use PAM.
participants (3)
-
Albert E. Whale
-
Charles Marcus
-
Timo Sirainen