HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   Dovecot Auth. Failure spams Message log (http://www.howtoforge.com/forums/showthread.php?t=6363)

d3m0nic 22nd August 2006 17:13

Dovecot Auth. Failure spams Message log
 
Hello,

[CentOS 4.3 - LAMP - ISPc - Dovecot]

My message log is spammed by Dovecot. The same line keeps repeating on and on!
Code:

Aug 22 15:15:56 host1 dovecot(pam_unix)[24079]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: check pass; user unknown
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: check pass; user unknown
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: check pass; user unknown
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: check pass; user unknown
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: check pass; user unknown
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: check pass; user unknown
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: check pass; user unknown
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: check pass; user unknown
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: check pass; user unknown
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: check pass; user unknown
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: check pass; user unknown
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

Any idea what this is and how i can resolve this... or is this normal?

TIA,

pablito 22nd August 2006 18:50

Does the log show what IP is in the rhost/lhost? If it isn't the localhost then perhaps you have a client trying to authenticate but failing just as the error shows? If it is the localhost then something indeed is wrong with the dovecot config.

I only see those errors when someone fails a login. I rarely see a persistent crack attempt but that too is always possible.

You might also do a cold restart of dovecot to make it isn't a hung session.

d3m0nic 23rd August 2006 02:31

I have found the problem... as shown in the error message, every 3 minutes I get a new line in my log.

Code:

Aug 23 01:06:56 host1 dovecot(pam_unix)[1022]: check pass; user unknown
Aug 23 01:06:56 host1 dovecot(pam_unix)[1022]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:09:56 host1 dovecot(pam_unix)[1060]: check pass; user unknown
Aug 23 01:09:56 host1 dovecot(pam_unix)[1060]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:12:56 host1 dovecot(pam_unix)[1099]: check pass; user unknown
Aug 23 01:12:56 host1 dovecot(pam_unix)[1099]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:15:56 host1 dovecot(pam_unix)[1138]: check pass; user unknown
Aug 23 01:15:56 host1 dovecot(pam_unix)[1138]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

...so, then i took a look at my maillog.
Code:

Aug 23 01:06:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:09:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:12:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:15:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]

Some bozo doesn't have his stuff together and needs to take his head out of his ass. Did a Whois and found it to be KIA MOTORS in the NETHERLANDS... cheap cars, cheap administrator? :mad:

Any advise on how to go about this... emailing this clown or iptables rule?

Thanks,

falko 23rd August 2006 16:52

Quote:

Originally Posted by d3m0nic
Any advise on how to go about this... emailing this clown or iptables rule?

Thanks,

You can block that IP address like this:

Code:

route add -host 62.58.60.226 reject

jeeva 20th October 2009 19:47

how do I ban complete ranges?
66.249.71.0/8 etc
66.249.71.1 -> 66.249.71.255


All times are GMT +2. The time now is 18:45.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.