Menu
▾
▴
[Sshguard-users] Dovecot dictionary attack goes unnoticed
|
From: WarnerJan V. <war...@qp...> - 2013-03-07 10:53:59
|
Hello list, My Dovecot server is getting hammered with dictionary logins. I can't get SSHGuard to block these. I can confirm SSHGuard is working since all the SSH attempts get properly blocked. I can see their IP's in iptables -nL. In /var/log/auth.log are hundreds of these lines: Mar 7 10:28:51 XXX dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=root rhost=190.15.174.126 user=root I find similar lines in /var/log/syslog (but I don't feed that logfile to the LogSucker, should I??) Mar 7 10:29:23 xxx dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=190.15.174.126, lip=X.X.X.X This is the line that starts SSHGuard in init.d/sshguard: /usr/local/sbin/sshguard -l /var/log/mail.info -l /var/log/auth.log -w /etc/sshguard_whitelist > /dev/null 2>&1 & What more should I do that have SSHGuard catch the dovecot attempts? (Running Debian 6, Dovecot 1.2.15, SSHGuard 1.5.0) Cheers! WarnerJan |
