HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Postfix/Courier failed logins log location? (http://www.howtoforge.com/forums/showthread.php?t=60308)

stealthy 23rd January 2013 02:54

Postfix/Courier failed logins log location?
 
Many thanks to Falko for the awesome tut http://www.howtoforge.com/virtual-us...l-ubuntu-12.10 .

One thing, however, is lacking, which involves security and protection against brute force attacks. In my humble opinion, security should be part of every tutorial.

I am using Ubuntu 12.10 and can't figure out the location of the logs that would record the falied SMTP, POP3, IMAP logins.

Would Falko or anyone tell us in which log these records might be, how to enable the logging? How the failed authentication attempts look, so we might set up fail2ban filter to block brute force attacks.

Vielen Dank!

stealthy 23rd January 2013 03:03

Looking at the tut, the auth mechanism is PAM, so the log should be /var/log/auth.log

I can see this in auth.log. Is this the authentication attempt?
Code:

Jan 23 08:16:45 romeo postfix/smtps/smtpd[24047]: sql auxprop plugin using mysql engine
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username name@domain.com
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1'
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: begin transaction
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin create statement from userPassword name domain.com
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin doing query select password from users where email = 'name@domain.com';
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: commit transaction
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username name@domain.com
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1'

Where's the POP3 login record?

And how does a failed authentication attempt look like?

falko 23rd January 2013 17:28

Check out /var/log/mail.log.

stealthy 23rd January 2013 22:35

Quote:

Originally Posted by falko (Post 291109)
Check out /var/log/mail.log.

That log has nothing of value in regards of the information that I am after.

Having done some of my research, the pop3 authentication is defined in Curier, namely
Code:

/etc/courier/authdaemonrc
and
Code:

/etc/courier/po3d-ssl
. See this URL for more information:

http://www.courier-mta.org/authlib/R...authdebug.html

After changing the setting
Code:

DEBUG_LOGIN=1
and enabling the debug info to be in the log (must issue "
Code:

authdaemond stop
" and "
Code:

authdaemond start
" commands), I finally got some half-useful information about the POP3 user getting logged.

However, I am not done in my quest of finding out which ciphers are being negotiated and chosen when making the POP3 handshake. The file
Code:

/etc/courier/po3d-ssl
lets you define some cipher options, but I need the know the actual log of the event.


All times are GMT +2. The time now is 00:31.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.