Dovecot Auth. Failure spams Message log

Discussion in 'Installation/Configuration' started by d3m0nic, Aug 22, 2006.

  1. d3m0nic

    d3m0nic New Member

    Hello,

    [CentOS 4.3 - LAMP - ISPc - Dovecot]

    My message log is spammed by Dovecot. The same line keeps repeating on and on!
    Code:
    Aug 22 15:15:56 host1 dovecot(pam_unix)[24079]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: check pass; user unknown
    Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: check pass; user unknown
    Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: check pass; user unknown
    Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: check pass; user unknown
    Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: check pass; user unknown
    Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: check pass; user unknown
    Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: check pass; user unknown
    Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: check pass; user unknown
    Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: check pass; user unknown
    Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: check pass; user unknown
    Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: check pass; user unknown
    Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Any idea what this is and how i can resolve this... or is this normal?

    TIA,
     
  2. pablito

    pablito New Member

    Does the log show what IP is in the rhost/lhost? If it isn't the localhost then perhaps you have a client trying to authenticate but failing just as the error shows? If it is the localhost then something indeed is wrong with the dovecot config.

    I only see those errors when someone fails a login. I rarely see a persistent crack attempt but that too is always possible.

    You might also do a cold restart of dovecot to make it isn't a hung session.
     
  3. d3m0nic

    d3m0nic New Member

    I have found the problem... as shown in the error message, every 3 minutes I get a new line in my log.

    Code:
    Aug 23 01:[B]06[/B]:56 host1 dovecot(pam_unix)[1022]: check pass; user unknown
    Aug 23 01:[B]06[/B]:56 host1 dovecot(pam_unix)[1022]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 23 01:[B]09[/B]:56 host1 dovecot(pam_unix)[1060]: check pass; user unknown
    Aug 23 01:[B]09[/B]:56 host1 dovecot(pam_unix)[1060]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 23 01:[B]12[/B]:56 host1 dovecot(pam_unix)[1099]: check pass; user unknown
    Aug 23 01:[B]12[/B]:56 host1 dovecot(pam_unix)[1099]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Aug 23 01:[B]15[/B]:56 host1 dovecot(pam_unix)[1138]: check pass; user unknown
    Aug 23 01:[B]15[/B]:56 host1 dovecot(pam_unix)[1138]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    ...so, then i took a look at my maillog.
    Code:
    Aug 23 01:[B]06[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
    Aug 23 01:[B]09[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
    Aug 23 01:[B]12[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
    Aug 23 01:[B]15[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
    
    Some bozo doesn't have his stuff together and needs to take his head out of his ass. Did a Whois and found it to be KIA MOTORS in the NETHERLANDS... cheap cars, cheap administrator? :mad:

    Any advise on how to go about this... emailing this clown or iptables rule?

    Thanks,
     
  4. falko

    falko Super Moderator ISPConfig Developer

    You can block that IP address like this:

    Code:
    route add -host 62.58.60.226 reject
     
    QuetzalFirst likes this.
  5. jeeva

    jeeva New Member

    how do I ban complete ranges?
    66.249.71.0/8 etc
    66.249.71.1 -> 66.249.71.255
     
  6. QuetzalFirst

    QuetzalFirst Member HowtoForge Supporter

    Where i can set this directly in ISPConfig3 ? I run the code directly in shell !! Save my day ! Thank you!
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The network routing is not configured trough ispconfig. If you want to run that command at bot time, then add it in the /etc/rc.local file.
     

Share This Page