Cracking attempt
dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=abc123 rhost=
3 Replies
Research on Dovecot mailing list & documentation was no help. Research via the Dovecot IRC channel was also not any help.
After I saw another wave of crack attempts with ZERO iptables loggings, it occurred to me what was going on – these weren't POP/IMAP crack attempts, the cracker was coming via SMTP-Auth attempts! Postfix + Dovecot + SASLauthd w/ TLS encryption, Postfix relying upon Dovecot/SASLauthd for the passthrough authentication.
Some quick research revealed that some of Dovecot's very poorly named variables were causing the SMTP-Auth attempts to not get logged AT ALL.
Enable these two "debugging" variables, and you should see the auth attempts with the missing source IPs logged properly. Depending on your environment, you will see it logged with your Postfix logs, your sasl/authentication logs, or your Dovecot logs. That all depends on how you have syslog configured.
auth_verbose = yes
verbose_ssl = yes
The one I was missing was 'verbose_ssl'. Once I enabled this and restarted Dovecot, SMTP-Authentications -- success and failures, WITH source IP, were now being logged properly.
Depending on the version of Dovecot & setup, you may have to correlate logs from more than one location to determine the source IP & attempted username.
Hope this helps!
@node_tux:
I've had an attempt at cracking my mail server. Any idea why I'm not seeing an IP on these messages?
dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=abc123 rhost=
I added the Dovecot support to OSSEC. The active response feature will stop these after just a few attempts.