150888 – Messages Fails to Provide Attacker's IP / Unauthorized Pop3

Bug 150888 - Messages Fails to Provide Attacker's IP / Unauthorized Pop3

Summary: Messages Fails to Provide Attacker's IP / Unauthorized Pop3

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dovecot
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	John Dennis
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-03-11 17:57 UTC by David Hart
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	dovecot-0.99.14-7.fc5
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-07-27 21:51:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description David Hart 2005-03-11 17:57:01 UTC

Description of problem:

Today, I experienced a large number of attempts by an unauthorized
individual to access mail via Pop3. These are logged without
sufficient detail in "messages", are not logged at all in "secure" and
are difficult to spot or correlate in maillog.

Here is a small sample:

Mar 11 11:56:32 smtp dovecot(pam_unix)[15314]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= 
Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: check pass; user unknown
Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= 
Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: check pass; user unknown
Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= 
Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: check pass; user unknown
Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: authentication failure; 


Expected results:

These should show the connecting IP as well as the username that they
attempted to use. With the IP I could use swatch to automatically
create an IPTables block.

Additional info:

Comment 1 Jason Vas Dias 2005-03-11 18:13:29 UTC

There is nothing sysklogd can do about this - it just logs the messages
sent by processes.

This problem is more properly a dovecot or pam enhancement request,
to provice more information logged on authentication failures.

I'm moving to dovecot and CC-ing the PAM maintainer.

Comment 2 David Hart 2005-03-11 18:18:02 UTC

I understand. Thank you.

Comment 3 David Hart 2005-03-11 20:45:11 UTC

Taking it a step further, I turned on verbose logging and tried bad
authentication. Here's what I see in maillog:

Mar 11 15:34:49 smtp dovecot-auth: PAM: pam_authenticate(nano) failed:
Authentication failure
Mar 11 15:35:05 smtp dovecot-auth: PAM: pam_authenticate(adsffdas)
failed: Authentication failure
Mar 11 15:35:14 smtp dovecot-auth: PAM: pam_authenticate(adsfdsa)
failed: Authentication failure
Mar 11 15:35:24 smtp dovecot-auth: mech-plain(jadlskjfalkjf;laks):
invalid username
Mar 11 15:35:31 smtp pop3-login: Login: dchart [192.168.0.44]

I finally used valid credentials and quit. It looks like someone could
hammer away and the client is only logged when they either quit or
connect. The indications in the syslog are even less enlightening.

Comment 4 John Dennis 2005-07-27 21:51:56 UTC

fixed in dovecot-0.99.14-7.fc5

You'll now get messages like this:

Jul 27 17:41:48 chickadee imap-login: AUTHENTICATE FAILED Authentication failed:
user1 [::ffff:127.0.0.1]

The second to last item is the username (user1 in the example), the last item is
the ip address (in this example it happened to be localhost)

Comment 5 David Hart 2005-08-19 14:20:18 UTC

July 27: >>fixed in dovecot-0.99.14-7.fc5<<

Do you have any idea when this will be in rawhide? The July 22 release of
dovecot-0.99.14-6 is the most current package.

Thanks for your courtesy.

Note You need to log in before you can comment on or make changes to this bug.