Re: OT: pam_unix(dovecot:auth): authentication failure.
Good time of the day, Federico.
Thank You, Federico, for Your time and answer. You wrote:
> > Could You please comment this auth. failure:
> >
> > localhost auth: pam_unix(dovecot:auth): authentication failure;
> > logname= uid=0 euid=0 tty=dovecot ruser=null rhost=91.201.64.249
> >
> > ?
> >
> > As I understand this - one tried to login to dovecot - but dovecot
> > was
> What do you mean for "dovecot". Dovecot manages various services:
>
> 110 POP
> 143 IMAP
> 2000 or 4190 MANAGESIEVE
>
> Do you are sure you blocked all dovecot ports?
You have understood me absolutely correct! That I meant, and all those
ports were closed for public networks - only for local network
addresses dovecot was accessible.
> Can you make a scan port to your host and verify that your firewall
> works as you expected?
Sure. Nmap says it is filtered.
> If you saved the logs, then you also have the dovecot logs in
> mail.log, did you find the entry that correspond with this line in
> auth.log? Then you can know to what dovecot process the "attacker"
> connected.
The question is from where (rhost / lprocess) the attack was made -
rather than which dovecot process responded. We see that FW has closed
all the dovecot ports yet the attack had a place. Also we can not
specify what exactly that string of pam_unix mean - the variables it
gives - sure, the one who will be able to intrepret it will shed the
light on the situation.
Thank You for help, Federico.
Sthu.
Reply to: