Description of problem: Today, I experienced a large number of attempts by an unauthorized individual to access mail via Pop3. These are logged without sufficient detail in "messages", are not logged at all in "secure" and are difficult to spot or correlate in maillog. Here is a small sample: Mar 11 11:56:32 smtp dovecot(pam_unix)[15314]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: check pass; user unknown Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: check pass; user unknown Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: check pass; user unknown Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: authentication failure; Expected results: These should show the connecting IP as well as the username that they attempted to use. With the IP I could use swatch to automatically create an IPTables block. Additional info:
There is nothing sysklogd can do about this - it just logs the messages sent by processes. This problem is more properly a dovecot or pam enhancement request, to provice more information logged on authentication failures. I'm moving to dovecot and CC-ing the PAM maintainer.
I understand. Thank you.
Taking it a step further, I turned on verbose logging and tried bad authentication. Here's what I see in maillog: Mar 11 15:34:49 smtp dovecot-auth: PAM: pam_authenticate(nano) failed: Authentication failure Mar 11 15:35:05 smtp dovecot-auth: PAM: pam_authenticate(adsffdas) failed: Authentication failure Mar 11 15:35:14 smtp dovecot-auth: PAM: pam_authenticate(adsfdsa) failed: Authentication failure Mar 11 15:35:24 smtp dovecot-auth: mech-plain(jadlskjfalkjf;laks): invalid username Mar 11 15:35:31 smtp pop3-login: Login: dchart [192.168.0.44] I finally used valid credentials and quit. It looks like someone could hammer away and the client is only logged when they either quit or connect. The indications in the syslog are even less enlightening.
fixed in dovecot-0.99.14-7.fc5 You'll now get messages like this: Jul 27 17:41:48 chickadee imap-login: AUTHENTICATE FAILED Authentication failed: user1 [::ffff:127.0.0.1] The second to last item is the username (user1 in the example), the last item is the ip address (in this example it happened to be localhost)
July 27: >>fixed in dovecot-0.99.14-7.fc5<< Do you have any idea when this will be in rawhide? The July 22 release of dovecot-0.99.14-6 is the most current package. Thanks for your courtesy.