Jesús Ángel del Pozo
2021-Oct-11 11:35 UTC
Howto show user id for failed authentications attempts
Hello, I am using dovecot_authenticator for Exim and I get a lot of authentication failure log entries, most of them due to brute force attacks. The log entries are like this: 2021-10-11 13:30:21 dovecot_login authenticator failed for ([5.188.206.194]) [5.188.206.194]: 535 Incorrect authentication data I wonder whether it would be possible to show the user ID the attacker used to authenticate himself. Here it is the SMTP data for one of these SMTP sessions: SMTP>> 250-disguised.domain.com Hello [5.188.206.194] [5.188.206.194] SMTP<< AUTH LOGIN SMTP>> 334 VXNlcm5hbWU6 received: CONT 1 UGFzc3dvcmQ6 SMTP>> 334 UGFzc3dvcmQ6 received: FAIL 1 user=webmaster at somedomain.net SMTP>> 535 Incorrect authentication data LOG: MAIN REJECT dovecot_login authenticator failed for ([5.188.206.194]) [5.188.206.194]: 535 Incorrect authentication data SMTP>> 421 disguised.domain.com lost input connection Warm regards, Jes?s ?ngel. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20211011/f8e116e3/attachment.html>
Jesús Ángel del Pozo
2021-Oct-13 10:05 UTC
Howto show user id for failed authentications attempts
Hello, The problem was I forgot to add the server_set_id = $auth1 line to the dovecot_login authenticator. Regards, Jes?s ?ngel. On 11/10/2021 13:35, Jes?s ?ngel del Pozo wrote:> > Hello, > > I am using dovecot_authenticator for Exim and I get a lot of > authentication failure log entries, most of them due to brute force > attacks. The log entries are like this: > > 2021-10-11 13:30:21 dovecot_login authenticator failed for ([5.188.206.194]) [5.188.206.194]: 535 Incorrect authentication data > > I wonder whether it would be possible to show the user ID the attacker > used to authenticate himself. > > Here it is the SMTP data for one of these SMTP sessions: > > SMTP>> 250-disguised.domain.com Hello [5.188.206.194] [5.188.206.194] > SMTP<< AUTH LOGIN > SMTP>> 334 VXNlcm5hbWU6 > received: CONT 1 UGFzc3dvcmQ6 > SMTP>> 334 UGFzc3dvcmQ6 > received: FAIL 1user=webmaster at somedomain.net > SMTP>> 535 Incorrect authentication data > LOG: MAIN REJECT > dovecot_login authenticator failed for ([5.188.206.194]) [5.188.206.194]: 535 Incorrect authentication data > SMTP>> 421 disguised.domain.com lost input connection > > Warm regards, > > Jes?s ?ngel. >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20211013/b2ff7b0f/attachment.html>