Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd January 2013, 02:54
stealthy stealthy is offline
Junior Member
 
Join Date: Jan 2013
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Postfix/Courier failed logins log location?

Many thanks to Falko for the awesome tut http://www.howtoforge.com/virtual-us...l-ubuntu-12.10 .

One thing, however, is lacking, which involves security and protection against brute force attacks. In my humble opinion, security should be part of every tutorial.

I am using Ubuntu 12.10 and can't figure out the location of the logs that would record the falied SMTP, POP3, IMAP logins.

Would Falko or anyone tell us in which log these records might be, how to enable the logging? How the failed authentication attempts look, so we might set up fail2ban filter to block brute force attacks.

Vielen Dank!

Last edited by stealthy; 23rd January 2013 at 03:40. Reason: clarity
Reply With Quote
Sponsored Links
  #2  
Old 23rd January 2013, 03:03
stealthy stealthy is offline
Junior Member
 
Join Date: Jan 2013
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Looking at the tut, the auth mechanism is PAM, so the log should be /var/log/auth.log

I can see this in auth.log. Is this the authentication attempt?
Code:
Jan 23 08:16:45 romeo postfix/smtps/smtpd[24047]: sql auxprop plugin using mysql engine
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username name@domain.com
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1'
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: begin transaction
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin create statement from userPassword name domain.com
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin doing query select password from users where email = 'name@domain.com';
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: commit transaction
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username name@domain.com
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1'
Where's the POP3 login record?

And how does a failed authentication attempt look like?

Last edited by stealthy; 23rd January 2013 at 03:37.
Reply With Quote
  #3  
Old 23rd January 2013, 17:28
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Check out /var/log/mail.log.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 23rd January 2013, 22:35
stealthy stealthy is offline
Junior Member
 
Join Date: Jan 2013
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Quote:
Originally Posted by falko View Post
Check out /var/log/mail.log.
That log has nothing of value in regards of the information that I am after.

Having done some of my research, the pop3 authentication is defined in Curier, namely
Code:
/etc/courier/authdaemonrc
and
Code:
/etc/courier/po3d-ssl
. See this URL for more information:

http://www.courier-mta.org/authlib/R...authdebug.html

After changing the setting
Code:
DEBUG_LOGIN=1
and enabling the debug info to be in the log (must issue "
Code:
authdaemond stop
" and "
Code:
authdaemond start
" commands), I finally got some half-useful information about the POP3 user getting logged.

However, I am not done in my quest of finding out which ciphers are being negotiated and chosen when making the POP3 handshake. The file
Code:
/etc/courier/po3d-ssl
lets you define some cipher options, but I need the know the actual log of the event.
Reply With Quote
Reply

Bookmarks

Tags
authentication postfix, fail2ban, imap, pop3, smtp

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MySQL doesn't work after reboot bswinnerton Installation/Configuration 10 21st January 2012 16:47
SugarCRM Install on ISPConfig3 w/ SuPHP clucena Installation/Configuration 1 9th February 2010 09:29
FTP Problems wabz Installation/Configuration 6 11th January 2010 18:51
Sites stopped working Toucan Installation/Configuration 21 3rd January 2010 23:27
Unable to receve email aberrio Server Operation 16 8th July 2009 10:26


All times are GMT +2. The time now is 09:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.