[Sshguard-users] Dovecot/PAM attacks not detected

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Everybody,

I succeeded in configuring sshguard to block attacks on sshd and vsftpd, but I still have problems with dovecot. According to the sshguard website, the attack signature for dovecot, should look like this:

imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1

However, I tried different dovecot settings and I am unable to let him produce the above line. The best I got is the following, in /var/log/secure:

Nov 11 11:11:11 xxx dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
Nov 11 11:11:11 xxx dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=X.X.X.X
Nov 11 11:11:11 xxx dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user daniela

and the following in /var/log/mail/dovecot.log

dovecot: Nov 11 11:11:11 Info: auth(default): pam(daniela,X.X.X.X): pam_authenticate() failed: User not known to the underlying authentication module

Unfortunately, neither of the these signatures are detected as attacks by sshguard. I am running a CentOS 5.7 box with dovecot 1.0.7. Any help is greatly appreciated.

TIA,

Alberto

[Sshguard-users] Dovecot/PAM attacks not detected

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] Dovecot/PAM attacks not detected