Rick Baartman
2011-Sep-19 17:05 UTC
[Dovecot] 64.31.19.48 attempt to break into my computer
>From my secure log:Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby etc. Literally, 30,000 user names attempted. -- rick baartman TRIUMF 4004 Wesbrook Mall Vancouver, BC V6T2A3
Charles Marcus
2011-Sep-22 14:08 UTC
[Dovecot] 64.31.19.48 attempt to break into my computer
On 2011-09-19 1:05 PM, Rick Baartman <baartman at lin12.triumf.ca> wrote:> From my secure log: > > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 > Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron > Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown > Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 > Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby > > etc. Literally, 30,000 user names attempted.Dictionaryt attacks are quite common, nothing new here... fail2ban is what I use, would have killed this one (since it's from the same IP) almost immediately... It doesn't work so well with sophisticated bots that can change IPs at will, but the secondary method of locking out an account after X number of failed auth attempts will eliminate the risk of a focused attack on a single account, so as long as you are using strong passwords, your system is secure (from these kinds of attacks, at least). The only attack I haven't figured out how to eliminate is the social/phishing attack, where $DumbUser gives out their username password voluntarily... although I have been considering faking a phishing attack on my own users, and flagging the ones who fall for it for training. -- Best regards, Charles
Ralf Hildebrandt
2011-Sep-22 14:12 UTC
[Dovecot] 64.31.19.48 attempt to break into my computer
* Rick Baartman <baartman at lin12.triumf.ca>:> From my secure log: > > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 > Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron > Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown > Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 > Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby > > etc. Literally, 30,000 user names attempted.And? Any success? -- Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt at charite.de | http://www.charite.de
John Alexander
2011-Sep-22 14:13 UTC
[Dovecot] 64.31.19.48 attempt to break into my computer
Fail2Ban is an excellent tool to deal with this sort of thing. On Mon, 19 Sep 2011 10:05:47 -0700, Rick Baartman wrote> >From my secure log: > > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check > pass; user unknown > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= > rhost=::ffff:64.31.19.48 > Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): > error retrieving information about user aaron > Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check > pass; user unknown > Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= > rhost=::ffff:64.31.19.48 > Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): > error retrieving information about user abby > > etc. Literally, 30,000 user names attempted. > -- > rick baartman > > TRIUMF > 4004 Wesbrook Mall > Vancouver, BC > V6T2A3------------------------------------ I've stopped trying to catch up, I'm just trying to limit the rate at which I'm falling behind John Alexander
Am 19.09.2011 19:05, schrieb Rick Baartman:> From my secure log: > > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 > Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user aaron > Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown > Sep 19 01:16:45 lin12 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:64.31.19.48 > Sep 19 01:16:45 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user abby > > etc. Literally, 30,000 user names attempted.I can advice you to use Fail2Ban. This will block that Ip-Adresse after a customizable number of failed logins. In addition you can `whois` this ip adresse and send an email to his abuse at provider.
It is a great tool. Unfortunately dovecot allows infinate incorrect logins during a single session. When fail2ban has firewalled the ip its pointless as the rule only affects new sessions, not established ones. I am disappointed that the author of dovecot has no interest in adding a feature that closes the session after x auth failures. It would certainly make tools like fail2ban more effective. ----- Reply message ----- From: "John Alexander" <john.alexander at preachain.org> Date: Fri, Sep 23, 2011 00:13 Subject: [Dovecot] 64.31.19.48 attempt to break into my computer To: <dovecot at dovecot.org> Fail2Ban is an excellent tool to deal with this sort of thing. On Mon, 19 Sep 2011 10:05:47 -0700, Rick Baartman wrote> >From my secure log: > > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): check > pass; user unknown > Sep 19 01:16:44 lin12 dovecot-auth: pam_unix(dovecot:auth): > authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= > rhost=::ffff:64.31.19.48 > Sep 19 01:16:44 lin12 dovecot-auth: pam_succeed_if(dovecot:auth): > error retrieving information about user aaron
Quoting Alex <other at ahhyes.net>:> It [fail2ban] is a great tool. Unfortunately dovecot allows infinate > incorrect logins during a single session. When fail2ban has > firewalled the ip its pointless as the rule only affects new > sessions, not established ones. I am disappointed that the author of > dovecot has no interest in adding a feature that closes the session > after x auth failures. It would certainly make tools like fail2ban > more effective.If that is a big issue for you, you could always have fail2ban add a dummy route: For example: route add $IP gw 127.0.0.1 Rick