dovecot - Oct 2012 - Logging IP address for failed login

Hi,

I am trying to use the logs to show the IP that brute force activity comes from,
but Im not succeeding. I have read the archives and seen the advice others have
had. I can see logs for repeated bad logins, but I need the IP address from the
attempts.

dovecot 2.0.12 / CentOS 5.4 / imaps only (993)

I have tried a bunch of different combinations of 10-logging.conf settings. This
is what I have currently (that does not work the way I want):

auth_verbose = yes
#auth_verbose_passwords = no
#auth_debug = yes
#auth_debug_passwords = no
#mail_debug = no

I *dont* want to see the passwords, either failed or successful. I just want to
see failed logins for whatever reason and the IP they came from.

In /var/log/maillog I get lines like this:
Oct  1 04:19:12 olive dovecot: auth: pam(marketing): unknown user
Oct  1 04:19:17 olive dovecot: auth: pam(marketing): unknown user

When i had debugging turned on, I would get lines like this:

Sep  9 01:14:59 olive dovecot: auth: Debug: passwd(dbelan,62.128.300.94): lookup

but only for successful logins. The brute force attempts dont log like that:

Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1
msg=Password:
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1
msg=Password:
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1
msg=Password:
Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user

No IP anywhere in that.

fail2ban seems to rely on the pop-login or imap-login lines to pull the IP from.
I get an imap-login for my real logins:

Oct  1 12:38:56 olive dovecot: imap-login: Login: user=<dbelan>,
method=PLAIN, rip=62.128.300.94, lip=204.152.189.165, mpid=20360, TLS

but no similar line for the failed logins.

So is this a dovecot logging configuration combination I need to find? Is it
getting lost in pam? Is it specific to CentOS?

Any help appreciated - happy to read up on it myself, but would need a pointer,
since the docs so far either assume I get an imap-login line for failed logins
which I dont, or they assume I just want to see the repeated attempts/passwords.


Scott.

On 10/1/2012 3:36 PM, Scott Neville wrote:
>
> In /var/log/maillog I get lines like this:
> Oct  1 04:19:12 olive dovecot: auth: pam(marketing): unknown user
> Oct  1 04:19:17 olive dovecot: auth: pam(marketing): unknown user
>
I'm guessing you are using a centos package. This may be package version 
specific.

Here is RHEL6's dovecot 2.0.9 default except for setting auth_verbose = yes.

Sep 28 21:12:10 compiler dovecot: auth: pam(test,::1): unknown user
Sep 28 21:12:24 compiler dovecot: auth: pam(validuser,::1): 
pam_authenticate() failed: Authentication failure (password mismatch?)

2.1.9/2.1.10 which I packaged shows similar.

Since I connected localhost, the IP is IPv6, of course.

Jack

Scott Neville <dovecot-in at keystealth.org> writes:
> I am trying to use the logs to show the IP that brute force activity
> comes from, but Im not succeeding.  I have read the archives and seen
> the advice others have had.  I can see logs for repeated bad logins,
> but I need the IP address from the attempts.
>
> ...
> but only for successful logins. The brute force attempts dont log like
that:
>
> Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user
This was similar to another complaint several months ago.  I conjectured
that these attempts are SMTP AUTH, not IMAP, brute forcing.  Are you
using the dovecot's SASL feature to authenticate outgoing Email (i.e. via
Postfix?).  Maybe you verify this hypothesis by checking the Postfix logs.

Joseph Tam <jtam.home at gmail.com>