Java Mailing List Archive

http://www.redhatconfig.com/

Home » Red Hat Enterprise Linux 5 »

[rhelv5-list] Dovecot under attack?

Nick Jennings

2008-01-30

Replies:

Author LoginPost Reply
Hello,

I just noticed a huge number pop3-login and imap-login processes
spawning and checked the logs and seemed to be getting completely
hammered with failed connection attempts, at the end of this email is a
small sample of some log output.

Luckily this machine is not in production yet and so I just shutdown
the dovecot daemon. I was wondering if anyone could suggest any measures
I can take to stop thing kind of thing happening? Also, what kinds of
risks does this sort of an attack expose me to? Could it bring my server
down or could they actually break in?

Thanks for any advice or suggestions, see log sample below.
-Nick Jennings

==> audit/audit.log <==
type=USER_AUTH msg=audit(1201707478.163:3883): user pid=24197 uid=0
auid=500 msg='PAM: authentication acct="?" :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
type=USER_AUTH msg=audit(1201707478.178:3884): user pid=24198 uid=0
auid=500 msg='PAM: authentication acct="?" :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
type=USER_AUTH msg=audit(1201707478.193:3885): user pid=24199 uid=0
auid=500 msg='PAM: authentication acct="mail" :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
type=USER_AUTH msg=audit(1201707478.194:3886): user pid=24200 uid=0
auid=500 msg='PAM: authentication acct="?" :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
type=USER_AUTH msg=audit(1201707478.196:3887): user pid=24202 uid=0
auid=500 msg='PAM: authentication acct="?" :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
type=USER_AUTH msg=audit(1201707478.197:3888): user pid=24203 uid=0
auid=500 msg='PAM: authentication acct="?" :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'
type=USER_AUTH msg=audit(1201707478.197:3889): user pid=24201 uid=0
auid=500 msg='PAM: authentication acct="?" :
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:207.234.131.201, addr=::ffff:207.234.131.201, terminal=dovecot res=failed)'


==> secure <==
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
user unknown
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
rhost=::ffff:207.234.131.201
Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
retrieving information about user guest
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
user unknown
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
rhost=::ffff:207.234.131.201
Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
retrieving information about user abuse
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
user unknown
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
rhost=::ffff:207.234.131.201
Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
retrieving information about user webtest
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
user unknown
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
rhost=::ffff:207.234.131.201
Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
retrieving information about user www
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth): check pass;
user unknown
Jan 30 09:37:56 srv1 dovecot-auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
rhost=::ffff:207.234.131.201
Jan 30 09:37:56 srv1 dovecot-auth: pam_succeed_if(dovecot:auth): error
retrieving information about user www

==> maillog <==
Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<office>,
method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.109
Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<account>,
method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.106
Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<contact>,
method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.107
Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<access>,
method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.99
Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<abuse>,
method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.98
Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<service>,
method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.108
Jan 30 09:37:55 srv1 dovecot: pop3-login: Aborted login: user=<test>,
method=PLAIN, rip=::ffff:207.234.131.201, lip=::ffff:74.54.185.106



_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list
©2008 redhatconfig.com - Jax Systems, LLC, U.S.A.