On 1/7/22 11:24 PM, Ken Wright wrote:> My Dovecot issues continue. Right now I see at least two issues: > first, my logs consistently show non-users trying (and failing) to log > in, and I'm still unable to log in from my email client (Evolution or > Roundcube, either one). > > I'll post about the second issue later; right now I wonder why I'm > getting so many non-users trying to log in. Am I the subject of > concerted hacking attacks, or is there something else going on? Some > of the attempted logins are more-or-less random names claiming to be > @mydomain, but at least one is a username that's really on my server, > to wit: > > Jan 7 22:52:01 grace dovecot: lmtp(776281): Error: lmtp-server: conn > unix:pid=776262,uid=117 [3]: rcpt www-data at mydomain.com: Failed to > lookup user www-data at mydomain.com: Internal error occurred. Refer to > server log for more information. > > (Another quick question: which server log should I check?) > > So, if anyone can tell me what's going on with all these logins, I'd be > much obliged!I see them all the time on the mail servers I run. Typical kids trying to mess with other peoples' stuff. I run fail2ban to catch those log entries and block the source IP address for a month on the first failed login. At any one time I have between 12,000 and 15,000 addresses in my blocked list for IMAP. -Dave -- Dave McGuire, AK4HZ New Kensington, PA
On Fri, 2022-01-07 at 23:27 -0500, Dave McGuire wrote:> On 1/7/22 11:24 PM, Ken Wright wrote: > > My Dovecot issues continue.? Right now I see at least two issues: > > first, my logs consistently show non-users trying (and failing) to > > log in, and I'm still unable to log in from my email client > > (Evolution or Roundcube, either one). > > > > I'll post about the second issue later; right now I wonder why I'm > > getting so many non-users trying to log in.? Am I the subject of > > concerted hacking attacks, or is there something else going on?? > > Some of the attempted logins are more-or-less random names claiming > > to be @mydomain, but at least one is a username that's really on my > > server, to wit: > > > > Jan? 7 22:52:01 grace dovecot: lmtp(776281): Error: lmtp-server: > > conn unix:pid=776262,uid=117 [3]: rcpt www-data at mydomain.com: > > Failed to lookup user www-data at mydomain.com: Internal error > > occurred. Refer to server log for more information. > > > > (Another quick question:? which server log should I check?) > > > > So, if anyone can tell me what's going on with all these logins, > > I'd be much obliged! > > ?? I see them all the time on the mail servers I run.? Typical kids > trying to mess with other peoples' stuff.? I run fail2ban to catch > those log entries and block the source IP address for a month on the > first failed login.? At any one time I have between 12,000 and 15,000 > addresses in my blocked list for IMAP.Dave, that's exactly the kind of answer I was looking for. Fail2ban, huh? I'll have to check that out. Thanks again! Ken
Am 08.01.22 um 05:27 schrieb Dave McGuire:> trying to mess with other peoples' stuff.? I run fail2ban to catch those > log entries and block the source IP address for a month on the first > failed login.? At any one time I have between 12,000 and 15,000well, I don't know how _your_ users are connected to the internet, but in germany most people has at least daily changing IPs out of larger pools (when connected via xDSL) or even sometimes shares ip-addresses with others (when connected via tv-cable or mobile - having a private network-address, which is natted), so it's possible to get/use an IP, which was used before by some script-kiddies... so everyone, who's blocking such requests for more than some minutes/hours should be aware of maybe blocking legitimate user-logins... btw.: setting up a new mail-client and making any mistake by reading it from old install or writing it into new install also leads to a months-blocking with above restrictive handling... (any may drive this user mad) so anyone, who has no experience with blocking should be really careful with it. d.