Re: pam problem

To: debian-user@lists.debian.org
Subject: Re: pam problem
From: Camaleón <noelamac@gmail.com>
Date: Sun, 20 May 2012 10:48:07 +0000 (UTC)
Message-id: <[🔎] jpai57$u2v$3@dough.gmane.org>
References: <[🔎] 0F79E416-0869-4AC8-847B-F0006B82E5A1@slsware.com> <[🔎] jp9069$27j$28@dough.gmane.org> <[🔎] A8A61686-0FCE-4AC9-8629-04A8FFB10406@slsware.com>

On Sat, 19 May 2012 14:59:19 -0600, Glenn English wrote:

> On May 19, 2012, at 2:35 PM, Camaleón wrote:
> 
>> Is your Dovecot publicly accesible?
> 
> Yes.

Okay, then the attacks make more sense. 

What still worries me is the empty (yet unknown) IP address of the 
machine from where this is coming and I don't know Dovecot (with PAm 
auth) enough to completely understand what can generate a blank "rhost" 
because even a connection from a local machine (or the same computer 
where Dovecot is installed) I'd expect an IP printed there, either remote 
or local (127.0.0.1, 192.168.x.x, etc...) :-?

Can you compare these entries ("rhost=") from the ones you get on normal 
login? That is, when a user is properly identified. Is the host available 
then?

>> I also get login tries in my Cyrus
>> coming from the outside, they're usually from automated bots running on
>> zombi windows machines... if that's the case, you can apply
>> counter-measures to cut these kind of attacks, for instance, by
>> installing fail2ban
> 
> Done, and it's denying Postfix and auth incidents of interest.

Good. You can now monitor the attack and logs will tell you if fail2ban 
is doing its work :-)

>> (also, some routers allow to define rules to block/filter by specific
>> syn/ack traffic).
> 
> My border router is a Cisco with significant acls. But they seem to be
> all about ICMP/UDP/TCP, IP, and port. I'll look into more specific
> restrictions.
> 
> From one of the access lists:
> 
>> 30 permit udp any host 209.97.231.219 eq ntp (27611222 matches)
> 
> (access to the NTP server, in case you don't speak IOS)

I have no previous experience with Cisco routers but acl filter rules are 
almost like mathematical symbols: they're universally understood :-)

Anyway, better that you touch nothing at the Cisco side, fail2ban will do 
the job.

>> But being your "rhost" empty... it does not sound good :-(
> 
> My sentiment exactly :-)
> 
>> You can also take a look at the mailog to check pop3/imap logins, but I
>> don't know where Dovecot sends these... "/var/log/mail.log"?
> 
> Yes, that's where they go. I just looked, and if I 'egrep -v' my real
> users and the net monitor, there's nothing of any interest.

Isn't the attacker's IP logged there? Weird. You can also make the login 
process to be more verbose in Dovecot by setting "auth_verbose=yes", you 
have more options here:

http://wiki2.dovecot.org/Logging 

>> Yes, that's suspicious. You can also run rkhunter to scan your system.
> 
> rkhunter. Thanks. I'll see what I can find.

That way you will discard something wrong coming from your own side.

Greetings,

-- 
Camaleón

Reply to:

References:
- pam problem
  - From: Glenn English <ghe@slsware.com>
- Re: pam problem
  - From: Camaleón <noelamac@gmail.com>
- Re: pam problem
  - From: Glenn English <ghe@slsware.com>

Prev by Date: Re: Random system freezes - need your input
Next by Date: Re: pam problem
Previous by thread: Re: pam problem
Next by thread: Re: pam problem
Index(es):
- Date
- Thread