PDA

View Full Version : Dovecot Auth. Failure spams Message log

d3m0nic
22nd August 2006, 17:13
Hello,

[CentOS 4.3 - LAMP - ISPc - Dovecot]

My message log is spammed by Dovecot. The same line keeps repeating on and on!

Aug 22 15:15:56 host1 dovecot(pam_unix)[24079]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: check pass; user unknown
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: check pass; user unknown
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: check pass; user unknown
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: check pass; user unknown
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: check pass; user unknown
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: check pass; user unknown
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: check pass; user unknown
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: check pass; user unknown
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: check pass; user unknown
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: check pass; user unknown
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: check pass; user unknown
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

Any idea what this is and how i can resolve this... or is this normal?

TIA,
pablito
22nd August 2006, 18:50
Does the log show what IP is in the rhost/lhost? If it isn't the localhost then perhaps you have a client trying to authenticate but failing just as the error shows? If it is the localhost then something indeed is wrong with the dovecot config.

I only see those errors when someone fails a login. I rarely see a persistent crack attempt but that too is always possible.

You might also do a cold restart of dovecot to make it isn't a hung session.
d3m0nic
23rd August 2006, 02:31
I have found the problem... as shown in the error message, every 3 minutes I get a new line in my log.

Aug 23 01:06:56 host1 dovecot(pam_unix)[1022]: check pass; user unknown
Aug 23 01:06:56 host1 dovecot(pam_unix)[1022]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:09:56 host1 dovecot(pam_unix)[1060]: check pass; user unknown
Aug 23 01:09:56 host1 dovecot(pam_unix)[1060]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:12:56 host1 dovecot(pam_unix)[1099]: check pass; user unknown
Aug 23 01:12:56 host1 dovecot(pam_unix)[1099]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:15:56 host1 dovecot(pam_unix)[1138]: check pass; user unknown
Aug 23 01:15:56 host1 dovecot(pam_unix)[1138]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
...so, then i took a look at my maillog.
Aug 23 01:06:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:09:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:12:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:15:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]

Some bozo doesn't have his stuff together and needs to take his head out of his ass. Did a Whois and found it to be KIA MOTORS in the NETHERLANDS... cheap cars, cheap administrator? :mad:

Any advise on how to go about this... emailing this clown or iptables rule?

Thanks,
falko
23rd August 2006, 16:52
Any advise on how to go about this... emailing this clown or iptables rule?

Thanks,
You can block that IP address like this:

route add -host 62.58.60.226 reject
jeeva
20th October 2009, 19:47
how do I ban complete ranges?
66.249.71.0/8 etc
66.249.71.1 -> 66.249.71.255