[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pam problem

On May 19, 2012, at 2:35 PM, Camaleón wrote:

> Is your Dovecot publicly accesible?

Yes.

> I also get login tries in my Cyrus 
> coming from the outside, they're usually from automated bots running on 
> zombi windows machines... if that's the case, you can apply counter-measures 
> to cut these kind of attacks, for instance, by installing fail2ban

Done, and it's denying Postfix and auth incidents of interest.

> (also, some routers allow to define rules to block/filter by specific syn/ack 
> traffic). 

My border router is a Cisco with significant acls. But they seem to be all about 
ICMP/UDP/TCP, IP, and port. I'll look into more specific restrictions. 

From one of the access lists:

> 30 permit udp any host 209.97.231.219 eq ntp (27611222 matches)

(access to the NTP server, in case you don't speak IOS)

> But being your "rhost" empty... it does not sound good :-(

My sentiment exactly :-)

> You can also take a look at the mailog to check pop3/imap logins, but I don't 
> know where Dovecot sends these... "/var/log/mail.log"?

Yes, that's where they go. I just looked, and if I 'egrep -v' my real users and 
the net monitor, there's nothing of any interest.

> Yes, that's suspicious. You can also run rkhunter to scan your system. 

rkhunter. Thanks. I'll see what I can find.

-- 
Glenn English
hand-wrapped from my Apple Mail
Reply to: