[Dovecot] !

[Seth Mattinen]

Udo Rader wrote:
> Seth Mattinen schrieb:
>> Udo Rader wrote:
>>> Udo Rader schrieb:
>>>> Hi,
>>>>
>>>> we have recently been hit by a couple of brute force password 
>>>> attacks against dovecot. So what I want to do now is to add dovecot 
>>>> to fail2ban in order to block further attacks.
>>>>
>>>> However, I don't seem to be able to find out password verifification 
>>>> failures for our LDAP based user data.
>>>>
>>>> The only thing I see are loads of lines like these in the logfiles:
>>>>
>>>> -------CUT-------
>>>> dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: 
>>>> user=<ludovic>, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
>>>> dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: 
>>>> user=<luna>, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
>>>> dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: 
>>>> user=<luke>, method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
>>>> -------CUT-------
>>>>
>>>> Googling the web I found that PAM based authentication obviously 
>>>> gives a matchable error message, but for some reasons the ldap 
>>>> backend does not - or does it?
>>>>
>>>> Any pointers highly appreciated :-)
>>>
>>> Solved it myself, adding changing to "auth_verbose = yes" in 
>>> dovecot.conf solved it.
>>>
>>> Any reasons why this isn't enabled by default?
>>>
>>
>> Because it's a debugging switch.
> 
> hmm, that's weird then.
> 
> Without turning on this "debugging switch" (LDAP) authentication 
> failures are not logged, so that's a pretty essential functionality 
> missing then.
> 

You're also running an old version. For me with 1.1.2, "dovecot: 
imap-login: Aborted login (auth failed, 0 attempts): rip=x.x.x.x, 
lip=x.x.x.x" is fine. If you want lots of details, turn on debugging.

~Seth