I have been using UW's IMAP server and I am converting to Dovecot for Maildir support. When a user fails authentication, or a user does not exist, it appears that the same message is used for these events. Is there a way to indicate that the user does not exist (Invalid user), and authentication Failure (Failed Password)? Clearly these two failures indicate a different error in the system. One that some forgot their password, the other indicates a dictionary attack. -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*.
On 10/29/2008, Albert E. Whale (aewhale at ABS-CompTech.com) wrote:> When a user fails authentication, or a user does not exist, it appears > that the same message is used for these events.When asking for help, it is always a good idea to provide some basic info... in this case, sample log entries from failed events, and output of dovecot -n? -- Best regards, Charles
On Wed, 2008-10-29 at 09:49 -0400, Albert E. Whale wrote:> I have been using UW's IMAP server and I am converting to Dovecot for > Maildir support. > > When a user fails authentication, or a user does not exist, it appears > that the same message is used for these events. > > Is there a way to indicate that the user does not exist (Invalid user), > and authentication Failure (Failed Password)?To user: no. In logs: yes, with auth_verbose=yes. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20081029/76e2c010/attachment-0002.bin>
Timo Sirainen wrote:> On Wed, 2008-10-29 at 09:49 -0400, Albert E. Whale wrote: > >> I have been using UW's IMAP server and I am converting to Dovecot for >> Maildir support. >> >> When a user fails authentication, or a user does not exist, it appears >> that the same message is used for these events. >> >> Is there a way to indicate that the user does not exist (Invalid user), >> and authentication Failure (Failed Password)? >> > > To user: no. In logs: yes, with auth_verbose=yes. > >Timo, Thank you. I already have auth_verbose=yes. Here is what I am seeing: Oct 29 09:43:31 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:34 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:36 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:38 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:40 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 These attempts to authenticate Darrin will not complete, as this is not a valid user. The IP Address 217.168.145.51 was cycling through 1364 attempts. I would like to identify this type of activity sooner, as this is not a valid user. -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*.