Dovecot Auth. Failure spams Message log

Discussion in 'Installation/Configuration' started by d3m0nic, Aug 22, 2006.

  1. d3m0nic

    d3m0nic New Member

    Hello,

    [CentOS 4.3 - LAMP - ISPc - Dovecot]

    My message log is spammed by Dovecot. The same line keeps repeating on and on!
    Code:
    Aug 22 15:15:56 host1 dovecot(pam_unix)[24079]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: check pass; user unknown
    Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: check pass; user unknown
    Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: check pass; user unknown
    Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: check pass; user unknown
    Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: check pass; user unknown
    Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: check pass; user unknown
    Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: check pass; user unknown
    Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: check pass; user unknown
    Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: check pass; user unknown
    Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: check pass; user unknown
    Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: check pass; user unknown
    Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Any idea what this is and how i can resolve this... or is this normal?

    TIA,
     
  2. pablito

    pablito New Member

    Does the log show what IP is in the rhost/lhost? If it isn't the localhost then perhaps you have a client trying to authenticate but failing just as the error shows? If it is the localhost then something indeed is wrong with the dovecot config.

    I only see those errors when someone fails a login. I rarely see a persistent crack attempt but that too is always possible.

    You might also do a cold restart of dovecot to make it isn't a hung session.
     
  3. d3m0nic

    d3m0nic New Member

    I have found the problem... as shown in the error message, every 3 minutes I get a new line in my log.

    Code:
    Aug 23 01:[B]06[/B]:56 host1 dovecot(pam_unix)[1022]: check pass; user unknown
    Aug 23 01:[B]06[/B]:56 host1 dovecot(pam_unix)[1022]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 23 01:[B]09[/B]:56 host1 dovecot(pam_unix)[1060]: check pass; user unknown
    Aug 23 01:[B]09[/B]:56 host1 dovecot(pam_unix)[1060]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 23 01:[B]12[/B]:56 host1 dovecot(pam_unix)[1099]: check pass; user unknown
    Aug 23 01:[B]12[/B]:56 host1 dovecot(pam_unix)[1099]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 23 01:[B]15[/B]:56 host1 dovecot(pam_unix)[1138]: check pass; user unknown
    Aug 23 01:[B]15[/B]:56 host1 dovecot(pam_unix)[1138]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    ...so, then i took a look at my maillog.
    Code:
    Aug 23 01:[B]06[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
    Aug 23 01:[B]09[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
    Aug 23 01:[B]12[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
    Aug 23 01:[B]15[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
    
    Some bozo doesn't have his stuff together and needs to take his head out of his ass. Did a Whois and found it to be KIA MOTORS in the NETHERLANDS... cheap cars, cheap administrator? :mad:

    Any advise on how to go about this... emailing this clown or iptables rule?

    Thanks,
     
  4. falko

    falko Super Moderator

    You can block that IP address like this:

    Code:
    route add -host 62.58.60.226 reject
     
  5. jeeva

    jeeva New Member

    how do I ban complete ranges?
    66.249.71.0/8 etc
    66.249.71.1 -> 66.249.71.255
     

Share This Page