Re: [Dovecot] auth trouble
Glenn English writes:
If dovecot-auth is getting input from a local socket, then rhost information is irrelevant since the host doing the asking is the server itself (maybe from another daemon connected to a remote host).
Maybe someone is brute forcing your server's Postfix authenticated SMTP service since Postfix can be configured to use Dovecot's SASL authentication framework.
Joseph Tam <jtam.home@gmail.com>
On Jun 4, 2012, at 8:45 PM, Joseph Tam wrote:
Thanks for the confirmation of my suspicions....
and for the suggestion -- I do have Postfix using Dovecot-Auth checking for SASL.
I think I'm going to re-install and run Tripwire...
-- Glenn English hand-wrapped from my Apple Mail
On Tue, Jun 05, 2012 at 09:38:49AM -0600, Glenn English wrote:
What suspicions were confirmed?
And these brute force attempts would be logged, each one.
I think you are overreacting.
http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
On Jun 5, 2012, at 3:53 PM, /dev/rob0 wrote:
What suspicions were confirmed?
At first I thought that somebody was TCP'ing in and somehow turning off the remote IP in the log so I couldn't block it. Then an answer from another mailing list, and a little thinking, made it occur to me that maybe my server had been penetrated.
And these brute force attempts would be logged, each one.
They are, with no rhost. And there are other brute force attempts that *do* have IPs.
I think you are overreacting.
I really hope so. What's your thinking? Have you seen this before? And most important: what is it, how does it work, and how do I get rid of it and keep it from coming back?
-- Glenn English hand-wrapped from my Apple Mail
On Jun 8, 2012, at 10:25 AM, Timo Sirainen wrote:
I think the answer to this is simply that Dovecot v1.0 didn't tell PAM the rhost. Upgrade.
Will do. What you say fits with what I see in the logs and is a lot simpler than many other suggestions. And you do have some credibility in this area :-)
Thanks.
-- Glenn English hand-wrapped from my Apple Mail
participants (4)
-
/dev/rob0
-
Glenn English
-
Joseph Tam
-
Timo Sirainen