Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd August 2006, 16:13
d3m0nic d3m0nic is offline
Member
 
Join Date: Feb 2006
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Default Dovecot Auth. Failure spams Message log

Hello,

[CentOS 4.3 - LAMP - ISPc - Dovecot]

My message log is spammed by Dovecot. The same line keeps repeating on and on!
Code:
Aug 22 15:15:56 host1 dovecot(pam_unix)[24079]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: check pass; user unknown
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: check pass; user unknown
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: check pass; user unknown
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: check pass; user unknown
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: check pass; user unknown
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: check pass; user unknown
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: check pass; user unknown
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: check pass; user unknown
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: check pass; user unknown
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: check pass; user unknown
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: check pass; user unknown
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Any idea what this is and how i can resolve this... or is this normal?

TIA,
Reply With Quote
Sponsored Links
  #2  
Old 22nd August 2006, 17:50
pablito pablito is offline
Junior Member
 
Join Date: Jan 2006
Location: Great White North, eh
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Does the log show what IP is in the rhost/lhost? If it isn't the localhost then perhaps you have a client trying to authenticate but failing just as the error shows? If it is the localhost then something indeed is wrong with the dovecot config.

I only see those errors when someone fails a login. I rarely see a persistent crack attempt but that too is always possible.

You might also do a cold restart of dovecot to make it isn't a hung session.
Reply With Quote
  #3  
Old 23rd August 2006, 01:31
d3m0nic d3m0nic is offline
Member
 
Join Date: Feb 2006
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I have found the problem... as shown in the error message, every 3 minutes I get a new line in my log.

Code:
Aug 23 01:06:56 host1 dovecot(pam_unix)[1022]: check pass; user unknown
Aug 23 01:06:56 host1 dovecot(pam_unix)[1022]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:09:56 host1 dovecot(pam_unix)[1060]: check pass; user unknown
Aug 23 01:09:56 host1 dovecot(pam_unix)[1060]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:12:56 host1 dovecot(pam_unix)[1099]: check pass; user unknown
Aug 23 01:12:56 host1 dovecot(pam_unix)[1099]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:15:56 host1 dovecot(pam_unix)[1138]: check pass; user unknown
Aug 23 01:15:56 host1 dovecot(pam_unix)[1138]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
...so, then i took a look at my maillog.
Code:
Aug 23 01:06:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:09:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:12:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:15:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Some bozo doesn't have his stuff together and needs to take his head out of his ass. Did a Whois and found it to be KIA MOTORS in the NETHERLANDS... cheap cars, cheap administrator?

Any advise on how to go about this... emailing this clown or iptables rule?

Thanks,
Reply With Quote
  #4  
Old 23rd August 2006, 15:52
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,727 Times in 2,565 Posts
Default

Quote:
Originally Posted by d3m0nic
Any advise on how to go about this... emailing this clown or iptables rule?

Thanks,
You can block that IP address like this:

Code:
route add -host 62.58.60.226 reject
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 20th October 2009, 18:47
jeeva jeeva is offline
Junior Member
 
Join Date: Sep 2009
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
Default

how do I ban complete ranges?
66.249.71.0/8 etc
66.249.71.1 -> 66.249.71.255
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
smtpd, SASL authentication failure: Steve_P Installation/Configuration 4 6th February 2009 16:26
SMTP Auth failure debian 3.1 sarge dschmid Installation/Configuration 5 3rd April 2006 11:16
Installation failure with "libssl.a: could not read symbols: Bad value" message dchowdhu Installation/Configuration 1 7th February 2006 10:02
Suse Postfix + Dovecot + ISP Config + smtp Auth; recieving problem! fatum112 HOWTO-Related Questions 2 15th January 2006 19:03


All times are GMT +2. The time now is 03:17.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.