similar to: Logging authentication failures?

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is "script kiddies." In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included. There are easily-available tools that scan networks looking for SIP

Hi, I am trying to use the logs to show the IP that brute force activity comes from, but Im not succeeding. I have read the archives and seen the advice others have had. I can see logs for repeated bad logins, but I need the IP address from the attempts. dovecot 2.0.12 / CentOS 5.4 / imaps only (993) I have tried a bunch of different combinations of 10-logging.conf settings. This is what I have

Hi, Since upgrading our mail servers to Postfix/Dovecot, we've seen a rather large increase in botnet brute force password attacks. I guess our old servers were too slow to suit their needs. Now, when they hit upon a valid user, it's easy to see what passwords they are trying (we've enabled auth_debug_passwords and set auth_verbose_passwords = plain). We can easily have log

>> Back to the original question, for those of you using Fail2Ban, >> Does it take an unusually high amount of break-in attempts before > attackers are banned? >> I have it set to 5 attempts in fail2ban but usually, the attacker is able > to make over 100 attempts before fail2ban bans them. >> I've tried this using asterisk's /var/log/asterisk/messages and

Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. Dovecot Version 1.0.7 (CentOS 5.2) The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed and reopened the connection after every user/password combination the logs showed many lines like

Hello, tl;dr: Is there a way to get dovecot's auth to log failed smtp authentications without having to switch on "auth_verbose"? postfix version 2.11.0 and dovecot version 2.2.12 I'm currently migrating my postfix+courier to postfix+dovecot and so far it's working as expected. Except for logging smtp login failures. Despite Postfix logging successful authentications (see

Hi, we have recently been hit by a couple of brute force password attacks against dovecot. So what I want to do now is to add dovecot to fail2ban in order to block further attacks. However, I don't seem to be able to find out password verifification failures for our LDAP based user data. The only thing I see are loads of lines like these in the logfiles: -------CUT------- dovecot: Nov

Message-ID: <479F2A63.2070408 at centos.org> On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes <johnny at centos.org> Subject Was: [CentOS] Unknown rootkit causes compromised servers > > SOME of the script kiddies check higher ports for SSH *_BUT_* I only see > 4% of the brute force attempts to login on ports other than 22. > > I would say that dropping brute force

On Tue, Jul 28, 2015 at 5:29 PM, Warren Young <wyml at etr-usa.com> wrote: > On Jul 28, 2015, at 2:27 PM, Chris Murphy <lists at colorremedies.com> wrote: >> >> On Tue, Jul 28, 2015 at 11:27 AM, Warren Young <wyml at etr-usa.com> wrote: >> >>> Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to

Top of the morning all... So I reworked the pseudo IDS/Brute Force Asterisk script for those who want to either use it, or use it as a baseline to build a better one... The script now does a few things... It logs those with password issues, and blocks them as well. This was done to ensure that a remote user who was blocked can be found in the log. E.g., Sally the homemaker keeps fiddling

I have been using centos 6 in a virtualized system for a few months now. Took a while to batten down the hatches with postfix, rbls, and to use fail2ban correctly. The mailserver for my website(s) are located on the http server as well..an 'all in one' server. DNS servers are separated. My two sites, and their emails addresses (1 for each) have been around for 10 and 15 years

I am seeing a recent increase in SSH harvesting attempts and brute forcing in the log of my system. I'm interested in opening up some discussion around what OpenSSH can do itself to counter measure against: * DoS attack where too many unauthenticated connections are open. I'm not interested in stopping the professional saboteur but the casual script kiddie (to use IRC terms) from

I just upgraded our test server from rc6 to rc10... ISSUE #1 I noticed that we no longer are getting two "From_" lines. However, the one that was good (had the original sender e-mail address) is now gone. The one with "dovecot.deliver" remains. I attempted to add "-d test" to the mailbox_command line in main.cf as follows: mailbox_command =

On Jul 28, 2015, at 2:27 PM, Chris Murphy <lists at colorremedies.com> wrote: > > On Tue, Jul 28, 2015 at 11:27 AM, Warren Young <wyml at etr-usa.com> wrote: > >> Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people?s machines. > > Your freedom to have sshd enabled by default stops at the point

On Wed, September 23, 2015 00:11, Always Learning wrote: > > > That is great. When I started on Linux that was one of the very > first things I did. Every machine, including servers, has port 22 > replaced by a unique alternative port. Port 22 is also blocked in > IPtables. > > There is an army of dangerous nutters attempting to break-in to > everything. They often mask

I've recently set up a director proxy environment on my test servers, with the intention of deploying on our cluster soon. One thing I found confusing in the proxying documentation [1] was the first bit about their being two ways to do the authentication...either you have the proxy forward the auth to the real server for authentication, or you have the proxy authenticate it and then login

After upgrading my IMAP server to the new debian stable, and upgrading dovecot from 1.x to 2.1.7 in the process, dovecot no longer logs anything to /var/log/mail.*. The last entries there are from before the upgrade, and no starts or error messages or failed login attempts, since then, have been logged. Does anyone know what might cause this? "doveconf -n" doesn't mention any of

Hi, i have 2 dovecot imap server running on solaris 10 The primary server with dovecot 1.0.alpha4 is running with best performance on Sun Sparc E4k5 with 8x 450MHz The secondary with rc10 has ugly performanceproblems on Sun E450 wth 4x 450MHz. Every new imap process takes permanent 25% cpu usage List the folder and fetch message are both slowy! Both servers are configred with ldap backend

http://dovecot.org/releases/1.1/rc/dovecot-1.1.rc10.tar.gz http://dovecot.org/releases/1.1/rc/dovecot-1.1.rc10.tar.gz.sig v1.1.0 will be released on next Friday if nothing horrible happens. * LIST X-STATUS renamed to LIST STATUS and fixed its behavior with LIST-EXTENDED options. It's now compatible with STATUS-IN-LIST draft 00. - Message parsing could have sometimes produced

http://dovecot.org/releases/1.1/rc/dovecot-1.1.rc10.tar.gz http://dovecot.org/releases/1.1/rc/dovecot-1.1.rc10.tar.gz.sig v1.1.0 will be released on next Friday if nothing horrible happens. * LIST X-STATUS renamed to LIST STATUS and fixed its behavior with LIST-EXTENDED options. It's now compatible with STATUS-IN-LIST draft 00. - Message parsing could have sometimes produced