Re: pam problem
On May 19, 2012, at 2:35 PM, Camaleón wrote:
> Is your Dovecot publicly accesible?
Yes.
> I also get login tries in my Cyrus
> coming from the outside, they're usually from automated bots running on
> zombi windows machines... if that's the case, you can apply counter-measures
> to cut these kind of attacks, for instance, by installing fail2ban
Done, and it's denying Postfix and auth incidents of interest.
> (also, some routers allow to define rules to block/filter by specific syn/ack
> traffic).
My border router is a Cisco with significant acls. But they seem to be all about
ICMP/UDP/TCP, IP, and port. I'll look into more specific restrictions.
From one of the access lists:
> 30 permit udp any host 209.97.231.219 eq ntp (27611222 matches)
(access to the NTP server, in case you don't speak IOS)
> But being your "rhost" empty... it does not sound good :-(
My sentiment exactly :-)
> You can also take a look at the mailog to check pop3/imap logins, but I don't
> know where Dovecot sends these... "/var/log/mail.log"?
Yes, that's where they go. I just looked, and if I 'egrep -v' my real users and
the net monitor, there's nothing of any interest.
> Yes, that's suspicious. You can also run rkhunter to scan your system.
rkhunter. Thanks. I'll see what I can find.
--
Glenn English
hand-wrapped from my Apple Mail
Reply to: