Hi,
I find some times strange logs in logwatch mail especially under the pam
field
--------------------- pam_unix Begin ------------------------
dovecot:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= :
17784 Time(s)
check pass; user unknown: 17784 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=mail: 320 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=mysql: 304 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=postgres: 280 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=apache: 264 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=root: 264 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=ftp: 248 Time(s)
bad username []: 32 Time(s)
/var/log/messages
Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: check pass; user unknown
Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2727]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhostDec 6 08:53:10 SYSTEM100
dovecot(pam_unix)[2728]: check pass; user unknown
Dec 6 08:53:10 SYSTEM100 dovecot(pam_unix)[2728]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost
I could see that its some kind of brute force attack. The question is
why dont i see the remote host IP address here ? All other services
shows the remote host ip except dovecot. The remote host ip is not
present even in the /var/log/messages file
Am i missing some option which would show me the remote host IP ? or
dovecot in general doesnt log remote host ip or is it some specially
crafted packet like the stealth scanning in nmap ?
Any help on this issue would be much appreciated.
--
Regards,
Mohan.
On Mon, Dec 08, 2008, Mohan wrote:>Hi, > >I find some times strange logs in logwatch mail especially under the pam >fieldPerhaps somebody is trying a dictionary attack against the IMAP or POP server. Everybody knows to look for probes against sshd, but may forget that the crackers can also try to find working user accounts and passwords by probing the mail servers. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 The children who know how to think for themselves spoil the harmony of the collective society that is coming, where everyone would be interdependent. 1899 John Dewey, educational philosopher, proponent of modern public schools.
Mohan wrote on Mon, 08 Dec 2008 15:52:47 +0000:> The remote host ip is not > present even in the /var/log/messages filewhat about /var/log/secure? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Hi , dovecot doesnt log anything to /var/log/secure. its a default centos 4.4 installation. All dovecot messages are logged to /var/log/messages. I tried connecting to the port 110 via telnet directly and typed user <random name> and pass <random pass> if the username exist it shows authentication failure in the log and report user=root for eg if i try as root. but if i try some username like idontexist in the logs user= shows blank. but in both the cases it didnt log the remote host IP address the rhost= remains blank. How to make dovecot to log all connection attempts remote host ip address. Regards, Mohan. Kai Schaetzl wrote:> Mohan wrote on Mon, 08 Dec 2008 15:52:47 +0000: > > >> The remote host ip is not >> present even in the /var/log/messages file >> > > what about /var/log/secure? > > Kai > >