Dovecot Auth. Failure spams Message log

Discussion in 'Installation/Configuration' started by d3m0nic, Aug 22, 2006.

  1. d3m0nic

    d3m0nic New Member

    Hello,

    [CentOS 4.3 - LAMP - ISPc - Dovecot]

    My message log is spammed by Dovecot. The same line keeps repeating on and on!
    Code:
    Aug 22 15:15:56 host1 dovecot(pam_unix)[24079]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: check pass; user unknown
Aug 22 15:18:56 host1 dovecot(pam_unix)[24117]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: check pass; user unknown
Aug 22 15:21:56 host1 dovecot(pam_unix)[24155]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: check pass; user unknown
Aug 22 15:24:56 host1 dovecot(pam_unix)[24193]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: check pass; user unknown
Aug 22 15:27:56 host1 dovecot(pam_unix)[24232]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: check pass; user unknown
Aug 22 15:30:56 host1 dovecot(pam_unix)[24269]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: check pass; user unknown
Aug 22 15:33:56 host1 dovecot(pam_unix)[24307]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: check pass; user unknown
Aug 22 15:36:56 host1 dovecot(pam_unix)[24345]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: check pass; user unknown
Aug 22 15:39:56 host1 dovecot(pam_unix)[24383]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: check pass; user unknown
Aug 22 15:42:56 host1 dovecot(pam_unix)[24422]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: check pass; user unknown
Aug 22 15:45:56 host1 dovecot(pam_unix)[24460]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: check pass; user unknown
Aug 22 15:48:56 host1 dovecot(pam_unix)[24498]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Any idea what this is and how i can resolve this... or is this normal?

    TIA,
     
    d3m0nic, Aug 22, 2006
    #1
  2. pablito

    pablito New Member

    Does the log show what IP is in the rhost/lhost? If it isn't the localhost then perhaps you have a client trying to authenticate but failing just as the error shows? If it is the localhost then something indeed is wrong with the dovecot config.

    I only see those errors when someone fails a login. I rarely see a persistent crack attempt but that too is always possible.

    You might also do a cold restart of dovecot to make it isn't a hung session.
     
    pablito, Aug 22, 2006
    #2
  3. d3m0nic

    d3m0nic New Member

    I have found the problem... as shown in the error message, every 3 minutes I get a new line in my log.

    Code:
    Aug 23 01:[B]06[/B]:56 host1 dovecot(pam_unix)[1022]: check pass; user unknown
Aug 23 01:[B]06[/B]:56 host1 dovecot(pam_unix)[1022]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:[B]09[/B]:56 host1 dovecot(pam_unix)[1060]: check pass; user unknown
Aug 23 01:[B]09[/B]:56 host1 dovecot(pam_unix)[1060]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:[B]12[/B]:56 host1 dovecot(pam_unix)[1099]: check pass; user unknown
Aug 23 01:[B]12[/B]:56 host1 dovecot(pam_unix)[1099]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 23 01:[B]15[/B]:56 host1 dovecot(pam_unix)[1138]: check pass; user unknown
Aug 23 01:[B]15[/B]:56 host1 dovecot(pam_unix)[1138]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    ...so, then i took a look at my maillog.
    Code:
    Aug 23 01:[B]06[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:[B]09[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:[B]12[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
Aug 23 01:[B]15[/B]:59 host1 pop3-login: Disconnected [::ffff:62.58.60.226]
    Some bozo doesn't have his stuff together and needs to take his head out of his ass. Did a Whois and found it to be KIA MOTORS in the NETHERLANDS... cheap cars, cheap administrator? :mad:

    Any advise on how to go about this... emailing this clown or iptables rule?

    Thanks,
     
    d3m0nic, Aug 23, 2006
    #3
  4. falko

    falko Super Moderator Howtoforge Staff

    You can block that IP address like this:

    Code:
    route add -host 62.58.60.226 reject
     
    falko, Aug 23, 2006
    #4
    QuetzalFirst likes this.
  5. jeeva

    jeeva New Member

    how do I ban complete ranges?
    66.249.71.0/8 etc
    66.249.71.1 -> 66.249.71.255
     
    jeeva, Oct 20, 2009
    #5
  6. QuetzalFirst

    QuetzalFirst Member

    Where i can set this directly in ISPConfig3 ? I run the code directly in shell !! Save my day ! Thank you!
     
    QuetzalFirst, Apr 10, 2015
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The network routing is not configured trough ispconfig. If you want to run that command at bot time, then add it in the /etc/rc.local file.
     
    till, Apr 13, 2015
    #7

Share This Page