Re: OT: pam_unix(dovecot:auth): authentication failure.

To: debian-user@lists.debian.org
Subject: Re: OT: pam_unix(dovecot:auth): authentication failure.
From: Sthu Deus <sthu.deus@gmail.com>
Date: Mon, 28 Jan 2013 17:51:57 +0700
Message-id: <[🔎] 51065851.0369980a.340c.ffffa363@mx.google.com>
In-reply-to: <CAAKASGxsJnYC_+H-mF6N9xHDqB-O5PhzKWhgzRurMz8JZ4cw5g@mail.gmail.com>
References: <[🔎] 51016fd9.0781980a.4d78.3249@mx.google.com> <CAAKASGz6h3GEJEzEhxzao2Ek1_cR2CUgR7O4kWRQwrrcRQJmgg@mail.gmail.com> <5103d51c.0794980a.0b9b.4ef0@mx.google.com> <CAAKASGxsJnYC_+H-mF6N9xHDqB-O5PhzKWhgzRurMz8JZ4cw5g@mail.gmail.com>

Good time of the day, Igor.

Thank You, Igor, for Your time and answer.

If You have any farther ideas, please share it w/ me.

You wrote:

> > > > localhost auth: pam_unix(dovecot:auth): authentication failure;
> > > > logname= uid=0 euid=0 tty=dovecot ruser=null rhost=91.201.64.249
> >
> > > It means someone tried to login to your webmail as root from
> > > outside. I get lots of them all the time usually bot attacks.
> >
> > Can You extend a bit Your answer?
> >
> 
> Obviously you have public access to your mail server via webmail of
> kind right? And you have username/password login screen and thats
> where the login as root has failed.

No! And that's the problem - if I had such an access allowed - no
questions, but I manage the server myself directly (changing conf.
files manually). And firewall does not allow access from the IP to
dovecot (see bellow, please).

But let's withdraw from this idea - as how it changed - for there can
be a lot of possible ways. Could please explain exactly what that
string mean OR may You give me a link specifying that? - I've checked
man.s on pam_unix and pam - did not find explanations on those
variables, nor web search gave me the desired explanation.

Here I can not understand: did they connect remotely fooling my
firewall somehow (probably as if from my local network) OR it was done
through a local process and therefore I have probably a back door on
the machine.

> > 1. Here "uid=0" and "ruser=null" - does it mean that the attack was
> > made w/ root privileges and only dovecot user "null" was used? OR
> > It means that dovecot runs w/ root privileges?
> >
> > 2. "rhost=91.201.64.249" means that attack was made not by local
> > process?
> >
> > 3. Do You have any idea how firewall could pass that connection
> > since only local network host are permitted to connect on 110 port?
> > - I mean is there any trick by which firewall could be fooled by
> > remote host masking as if it has local IP and at PAM being
> > discovered - it is from remote network?

Again, thank You for You answer/ideas.

Sthu.

Reply to:

References:
- OT: pam_unix(dovecot:auth): authentication failure.
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: Re: service not working
Next by Date: Re: iptables and kvm
Previous by thread: Re: OT: pam_unix(dovecot:auth): authentication failure.
Next by thread: Re: OT: pam_unix(dovecot:auth): authentication failure.
Index(es):
- Date
- Thread