Re: pam problem
On Sat, 19 May 2012 14:05:41 -0600, Glenn English wrote:
> I am getting many, many entries in auth.log like these:
>
> /var/log/auth.log:May 17 13:31:14 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=
> /var/log/auth.log:May 17 13:31:20 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=
> /var/log/auth.log:May 18 03:39:14 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=jkhhlkjh rhost=
(...)
Is your Dovecot publicly accesible? I also get login tries in my Cyrus
coming from the outside, they're usually from automated bots running on
zombi windows machines... if that's the case, you can apply counter-measures
to cut these kind of attacks, for instance, by installing fail2ban or denyhosts
(also, some routers allow to define rules to block/filter by specific syn/ack
traffic).
But being your "rhost" empty... it does not sound good :-(
You can also take a look at the mailog to check pop3/imap logins, but I don't
know where Dovecot sends these... "/var/log/mail.log"?
> Over on SDLU, I was told the empty "rhost=" looks like there is a Trojan
> using a socket on my email host. I knew nothing about sockets -- not
> much more now. Can anyone tell me how to find it and squash it?
(...)
Yes, that's suspicious. You can also run rkhunter to scan your system.
Greetings,
--
Camaleón
Reply to: