Navigation

d3m0nic · #1 22nd August 2006, 16:13

Hello,

[CentOS 4.3 - LAMP - ISPc - Dovecot]

My message log is spammed by Dovecot. The same line keeps repeating on and on!

Code:

Aug 22 15:15:56 host1 dovecot(pam_unix)[24079]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: check pass; user unknown
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: check pass; user unknown
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: check pass; user unknown
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: check pass; user unknown
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: check pass; user unknown
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: check pass; user unknown
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: check pass; user unknown
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: check pass; user unknown
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: check pass; user unknown
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: check pass; user unknown
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: check pass; user unknown
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

Any idea what this is and how i can resolve this... or is this normal?

TIA,

pablito · #2 22nd August 2006, 17:50

Does the log show what IP is in the rhost/lhost? If it isn't the localhost then perhaps you have a client trying to authenticate but failing just as the error shows? If it is the localhost then something indeed is wrong with the dovecot config.

I only see those errors when someone fails a login. I rarely see a persistent crack attempt but that too is always possible.

You might also do a cold restart of dovecot to make it isn't a hung session.

d3m0nic · #3 23rd August 2006, 01:31

I have found the problem... as shown in the error message, every 3 minutes I get a new line in my log.

Code:

Aug 23 01:06:56 host1 dovecot(pam_unix)[1022]: check pass; user unknown
Aug 23 01:06:56 host1 dovecot(pam_unix)[1022]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:09:56 host1 dovecot(pam_unix)[1060]: check pass; user unknown
Aug 23 01:09:56 host1 dovecot(pam_unix)[1060]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:12:56 host1 dovecot(pam_unix)[1099]: check pass; user unknown
Aug 23 01:12:56 host1 dovecot(pam_unix)[1099]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:15:56 host1 dovecot(pam_unix)[1138]: check pass; user unknown
Aug 23 01:15:56 host1 dovecot(pam_unix)[1138]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

...so, then i took a look at my maillog.

Code:

Aug 23 01:06:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:09:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:12:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:15:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]

Some bozo doesn't have his stuff together and needs to take his head out of his ass. Did a Whois and found it to be KIA MOTORS in the NETHERLANDS... cheap cars, cheap administrator?

Any advise on how to go about this... emailing this clown or iptables rule?

Thanks,