Menu
▾
▴
Re: [Sshguard-users] Dovecot/PAM attacks not detected
|
From: Armando M. <arm...@st...> - 2012-04-22 14:39:27
|
Ciao Alberto, On 11/11/2011 08:59 AM, Alberto Ganesh Barbati wrote: > Hi Everybody, > I succeeded in configuring sshguard to block attacks on sshd and vsftpd, but I still have problems with dovecot. According to the sshguard website, the attack signature for dovecot, should look like this: > > imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1 We support the log of the service itself, independently of the authentication system used. > However, I tried different dovecot settings and I am unable to let him produce the above line. The best I got is the following, in /var/log/secure: > > Nov 11 11:11:11 xxx dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown > Nov 11 11:11:11 xxx dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=X.X.X.X > Nov 11 11:11:11 xxx dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user daniela Does dovecot logs another line similar to the one already supported by Sshguard after this one? E.g., like the following Nov 11 11:11:11 xxx dovecot-auth: imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1 It would be hazardous to accept two logged lines instead of one. We also want to remain as independent as possible from the authentication system of the server. Thanks for the report. Cheers, Armando |
