Hi,
I am trying to use the logs to show the IP that brute force activity comes from,
but Im not succeeding. I have read the archives and seen the advice others have
had. I can see logs for repeated bad logins, but I need the IP address from the
attempts.
dovecot 2.0.12 / CentOS 5.4 / imaps only (993)
I have tried a bunch of different combinations of 10-logging.conf settings. This
is what I have currently (that does not work the way I want):
auth_verbose = yes
#auth_verbose_passwords = no
#auth_debug = yes
#auth_debug_passwords = no
#mail_debug = no
I *dont* want to see the passwords, either failed or successful. I just want to
see failed logins for whatever reason and the IP they came from.
In /var/log/maillog I get lines like this:
Oct 1 04:19:12 olive dovecot: auth: pam(marketing): unknown user
Oct 1 04:19:17 olive dovecot: auth: pam(marketing): unknown user
When i had debugging turned on, I would get lines like this:
Sep 9 01:14:59 olive dovecot: auth: Debug: passwd(dbelan,62.128.300.94): lookup
but only for successful logins. The brute force attempts dont log like that:
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1
msg=Password:
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1
msg=Password:
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot
Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1
msg=Password:
Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user
No IP anywhere in that.
fail2ban seems to rely on the pop-login or imap-login lines to pull the IP from.
I get an imap-login for my real logins:
Oct 1 12:38:56 olive dovecot: imap-login: Login: user=<dbelan>,
method=PLAIN, rip=62.128.300.94, lip=204.152.189.165, mpid=20360, TLS
but no similar line for the failed logins.
So is this a dovecot logging configuration combination I need to find? Is it
getting lost in pam? Is it specific to CentOS?
Any help appreciated - happy to read up on it myself, but would need a pointer,
since the docs so far either assume I get an imap-login line for failed logins
which I dont, or they assume I just want to see the repeated attempts/passwords.
Scott.