Bug 150888 - Messages Fails to Provide Attacker's IP / Unauthorized Pop3
Messages Fails to Provide Attacker's IP / Unauthorized Pop3
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: dovecot (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
Brian Brock
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-11 12:57 EST by David Hart
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: dovecot-0.99.14-7.fc5
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-27 17:51:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Hart 2005-03-11 12:57:01 EST
Description of problem:

Today, I experienced a large number of attempts by an unauthorized
individual to access mail via Pop3. These are logged without
sufficient detail in "messages", are not logged at all in "secure" and
are difficult to spot or correlate in maillog.

Here is a small sample:

Mar 11 11:56:32 smtp dovecot(pam_unix)[15314]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= 
Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: check pass; user unknown
Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= 
Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: check pass; user unknown
Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= 
Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: check pass; user unknown
Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: authentication failure; 


Expected results:

These should show the connecting IP as well as the username that they
attempted to use. With the IP I could use swatch to automatically
create an IPTables block.

Additional info:
Comment 1 Jason Vas Dias 2005-03-11 13:13:29 EST
There is nothing sysklogd can do about this - it just logs the messages
sent by processes.

This problem is more properly a dovecot or pam enhancement request,
to provice more information logged on authentication failures.

I'm moving to dovecot and CC-ing the PAM maintainer. 
Comment 2 David Hart 2005-03-11 13:18:02 EST
I understand. Thank you.
Comment 3 David Hart 2005-03-11 15:45:11 EST
Taking it a step further, I turned on verbose logging and tried bad
authentication. Here's what I see in maillog:

Mar 11 15:34:49 smtp dovecot-auth: PAM: pam_authenticate(nano) failed:
Authentication failure
Mar 11 15:35:05 smtp dovecot-auth: PAM: pam_authenticate(adsffdas)
failed: Authentication failure
Mar 11 15:35:14 smtp dovecot-auth: PAM: pam_authenticate(adsfdsa)
failed: Authentication failure
Mar 11 15:35:24 smtp dovecot-auth: mech-plain(jadlskjfalkjf;laks):
invalid username
Mar 11 15:35:31 smtp pop3-login: Login: dchart [192.168.0.44]

I finally used valid credentials and quit. It looks like someone could
hammer away and the client is only logged when they either quit or
connect. The indications in the syslog are even less enlightening.
Comment 4 John Dennis 2005-07-27 17:51:56 EDT
fixed in dovecot-0.99.14-7.fc5

You'll now get messages like this:

Jul 27 17:41:48 chickadee imap-login: AUTHENTICATE FAILED Authentication failed:
user1 [::ffff:127.0.0.1]

The second to last item is the username (user1 in the example), the last item is
the ip address (in this example it happened to be localhost)
Comment 5 David Hart 2005-08-19 10:20:18 EDT
July 27: >>fixed in dovecot-0.99.14-7.fc5<<

Do you have any idea when this will be in rawhide? The July 22 release of
dovecot-0.99.14-6 is the most current package.

Thanks for your courtesy.

Note You need to log in before you can comment on or make changes to this bug.