[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OT: pam_unix(dovecot:auth): authentication failure.



Good time of the day, Federico.


Thank You, Federico, for Your time and answer. You wrote:

> > Could You please comment this auth. failure:
> >
> > localhost auth: pam_unix(dovecot:auth): authentication failure;
> > logname= uid=0 euid=0 tty=dovecot ruser=null rhost=91.201.64.249
> >
> > ?
> >
> > As I understand this - one tried to login to dovecot - but dovecot
> > was

> What do you mean for "dovecot". Dovecot manages various services:
> 
> 110 POP
> 143 IMAP
> 2000 or 4190 MANAGESIEVE
> 
> Do you are sure you blocked all dovecot ports?

You have understood me absolutely correct! That I meant, and all those
ports were closed for public networks - only for local network
addresses dovecot was accessible.
 
> Can you make a scan port to your host and verify that your firewall 
> works as you expected?

Sure. Nmap says it is filtered.

> If you saved the logs, then you also have the dovecot logs in
> mail.log, did you find the entry that correspond with this line in
> auth.log? Then you can know to what dovecot process the "attacker"
> connected.

The question is from where (rhost / lprocess) the attack was made -
rather than which dovecot process responded. We see that FW has closed
all the dovecot ports yet the attack had a place. Also we can not
specify what exactly that string of pam_unix mean - the variables it
gives - sure, the one who will be able to intrepret it will shed the
light on the situation.

Thank You for help, Federico.


Sthu.


Reply to: