Hi,
I?ve posted this before but no one was able to help. I can?t figure out
what they are trying to do, and if I should be concerned.
I am running dovecot version 0.99.14 on Fedora Core 4. It appears that my
dovecot server is under attack. This morning in my system e-mail I saw
this:
dovecot:
Authentication Failures:
rhost= : 23431 Time(s)
adm: 33 Time(s)
bin: 33 Time(s)
mail: 33 Time(s)
mysql: 21 Time(s)
nobody: 15 Time(s)
news: 14 Time(s)
operator: 8 Time(s)
sshd: 2 Time(s)
Unknown Entries:
check pass; user unknown: 23431 Time(s)
But, when I check my log files I can?t find an IP address for the attacker.
So, for example, if I search my logs for ?operator? I see:
./messages:Jun 15 23:30:56 lambdacenter dovecot(pam_unix)[15512]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhostuser=operator
./messages:Jun 15 23:31:00 lambdacenter dovecot(pam_unix)[15670]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhostuser=operator
./messages:Jun 15 23:31:16 lambdacenter dovecot(pam_unix)[16332]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhostuser=operator
./messages:Jun 15 23:31:20 lambdacenter dovecot(pam_unix)[16480]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhostuser=operator
./messages:Jun 15 23:31:27 lambdacenter dovecot(pam_unix)[16695]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhostuser=operator
./messages:Jun 15 23:31:38 lambdacenter dovecot(pam_unix)[16884]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhostuser=operator
./messages:Jun 15 23:31:55 lambdacenter dovecot(pam_unix)[17080]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhostuser=operator
./messages:Jun 15 23:32:11 lambdacenter dovecot(pam_unix)[17182]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhostuser=operator
./audit/audit.log:type=USER_AUTH msg=audit(1181971858.967:156312): user
pid=15512 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?,
terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971862.772:156382): user
pid=15670 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?,
terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971878.710:156707): user
pid=16332 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?,
terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971882.379:156775): user
pid=16480 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?,
terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971908.712:156879): user
pid=16695 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?,
terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181972032.080:156904): user
pid=16884 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?,
terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181972047.607:156917): user
pid=17080 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?,
terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181972066.325:156928): user
pid=17182 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?,
terminal=?
result=Authentication failure)'
I?ve checked my snmplog for port activity on port 110 (for POP3) and 143
(for IMAP), but I don?t see anything unusual. I also systematically
filtered out everything I knew was okay (ssh, and httpd) .
Does anyone know what this is? Or someone I could ask?
Thanks!!!!!!!!!!!!!!!!!!!!
Jon
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.17/850 - Release Date: 6/15/2007
11:31 AM
Hi Jon, I cannot help with the specific question, but in my opinion, your first and primary goal should be to get that server updated to 1.0.1 asap... 0.99.x is no longer supported - and *very* dated... Jon Slater wrote:> Hi, > > > > I?ve posted this before but no one was able to help. I can?t figure out > what they are trying to do, and if I should be concerned. > > > > I am running dovecot version 0.99.14 on Fedora Core 4. It appears that my > dovecot server is under attack. This morning in my system e-mail I saw > this: > > > > dovecot: > > Authentication Failures: > > rhost= : 23431 Time(s) > > adm: 33 Time(s) > > bin: 33 Time(s) > > mail: 33 Time(s) > > mysql: 21 Time(s) > > nobody: 15 Time(s) > > news: 14 Time(s) > > operator: 8 Time(s) > > sshd: 2 Time(s) > > Unknown Entries: > > check pass; user unknown: 23431 Time(s) > > > > But, when I check my log files I can?t find an IP address for the attacker. > So, for example, if I search my logs for ?operator? I see: > > ./messages:Jun 15 23:30:56 lambdacenter dovecot(pam_unix)[15512]: > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost> user=operator > > ./messages:Jun 15 23:31:00 lambdacenter dovecot(pam_unix)[15670]: > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost> user=operator > > ./messages:Jun 15 23:31:16 lambdacenter dovecot(pam_unix)[16332]: > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost> user=operator > > ./messages:Jun 15 23:31:20 lambdacenter dovecot(pam_unix)[16480]: > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost> user=operator > > ./messages:Jun 15 23:31:27 lambdacenter dovecot(pam_unix)[16695]: > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost> user=operator > > ./messages:Jun 15 23:31:38 lambdacenter dovecot(pam_unix)[16884]: > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost> user=operator > > ./messages:Jun 15 23:31:55 lambdacenter dovecot(pam_unix)[17080]: > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost> user=operator > > ./messages:Jun 15 23:32:11 lambdacenter dovecot(pam_unix)[17182]: > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost> user=operator > > ./audit/audit.log:type=USER_AUTH msg=audit(1181971858.967:156312): user > pid=15512 uid=0 auid=4294967295 msg='PAM authentication: user=operator > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? > result=Authentication failure)' > > ./audit/audit.log:type=USER_AUTH msg=audit(1181971862.772:156382): user > pid=15670 uid=0 auid=4294967295 msg='PAM authentication: user=operator > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? > result=Authentication failure)' > > ./audit/audit.log:type=USER_AUTH msg=audit(1181971878.710:156707): user > pid=16332 uid=0 auid=4294967295 msg='PAM authentication: user=operator > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? > result=Authentication failure)' > > ./audit/audit.log:type=USER_AUTH msg=audit(1181971882.379:156775): user > pid=16480 uid=0 auid=4294967295 msg='PAM authentication: user=operator > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? > result=Authentication failure)' > > ./audit/audit.log:type=USER_AUTH msg=audit(1181971908.712:156879): user > pid=16695 uid=0 auid=4294967295 msg='PAM authentication: user=operator > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? > result=Authentication failure)' > > ./audit/audit.log:type=USER_AUTH msg=audit(1181972032.080:156904): user > pid=16884 uid=0 auid=4294967295 msg='PAM authentication: user=operator > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? > result=Authentication failure)' > > ./audit/audit.log:type=USER_AUTH msg=audit(1181972047.607:156917): user > pid=17080 uid=0 auid=4294967295 msg='PAM authentication: user=operator > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? > result=Authentication failure)' > > ./audit/audit.log:type=USER_AUTH msg=audit(1181972066.325:156928): user > pid=17182 uid=0 auid=4294967295 msg='PAM authentication: user=operator > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? > result=Authentication failure)' > > > > I?ve checked my snmplog for port activity on port 110 (for POP3) and 143 > (for IMAP), but I don?t see anything unusual. I also systematically > filtered out everything I knew was okay (ssh, and httpd) . > > > > Does anyone know what this is? Or someone I could ask? > > > > Thanks!!!!!!!!!!!!!!!!!!!! > > > > Jon > > > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.472 / Virus Database: 269.8.17/850 - Release Date: 6/15/2007 > 11:31 AM > >
Tere.> > > Does anyone know what this is? Or someone I could ask? > >Normal dictionary attack? -- Mart
A Dissabte 16 Juny 2007 16:10, Jon Slater va escriure:> Hi, > > I?ve posted this before but no one was able to help. I can?t figure > out what they are trying to do, and if I should be concerned.> I am running dovecot version 0.99.14 on Fedora Core 4. It appears > that my dovecot server is under attack. This morning in my system > e-mail I saw this:Hi Jon, just my 5 cents, eventually you can figure out if they are trying to login directly to you imap/pop3 ports or maybe through a webmail? In every case why don't you give a try to a fail2ban program to block automatically login failures through iptables and of course upgrade your dovecot's installation? http://drees76.blogspot.com/2006/08/fail2ban-dovecot-and-brute-force.html greetings, dani