dovecot - May 2007 - What are they trying to do here?

Hi!

 

I?m new to the list, and I?m not really having a ?problem?, but I?m seeing
something in my log files that I wonder if I should be concerned.

 

I?ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel
2.6.17-1.2142_FC4) machine from quite some time.

 

For the last few days, I?ve been seeing this in my daily ?Logwatch? e-mail:

dovecot:

    Authentication Failures:

        rhost= : 139 Time(s)

       root: 13 Time(s)

    Unknown Entries:

       check pass; user unknown: 139 Time(s)

 

So it looks pretty obvious that someone (using root and an assortment of
other login names) is trying to access by dovecot server.

 

My first ?issue? is I can?t find a log file anywhere that tells me the IP
address of the attacker.  I see a series of ?authentication failure?
messages in my /log/messages file:

 

May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root

May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: check pass; user
unknown

May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost= 

May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: check pass; user
unknown

May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost
 

But I don?t find anything in any other log files to indicate where this is
coming from.

 

Secondly, I?m wondering if I have anything to be concerned about.

 

Thanks in advance for you help!

 

Jon


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.3/824 - Release Date: 5/29/2007
1:01 PM

On Wed, 2007-05-30 at 09:10 -0600, Jon Slater wrote:
> I?ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel
> 2.6.17-1.2142_FC4) machine from quite some time.
Note that 0.99 is several years old already and it's not really
supported anymore.
> So it looks pretty obvious that someone (using root and an assortment
> of
> other login names) is trying to access by dovecot server.
>  
> My first ?issue? is I can?t find a log file anywhere that tells me the IP
> address of the attacker.  I see a series of ?authentication failure?
> messages in my /log/messages file:
> 
>  
> 
> May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root
You're using PAM. Unfortunately it doesn't really give any better
messages. You could find out the IP by finding "Aborted login"
messages
from Dovecot near the same timestamp. They're most likely
in /var/log/maillog or something similar.

You could also set auth_verbose=yes in dovecot.conf. After that Dovecot
will also log the authentication failures (at least v1.0 does, I don't
remember if v0.99 had that setting) so it's easier to find the IP.
> Secondly, I?m wondering if I have anything to be concerned about.
Probably just some random attacks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070604/9e6a2a43/attachment-0002.bin>