Re: Serious Security Logging Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2005-03-11 at 12:27 -0500, David Cary Hart wrote:
> We're apparently getting hit with a large number of attempts to get into
> mailboxes (partial sample listing):
> --------------------------------------------------------------------
>         Mar 11 11:56:32 smtp dovecot(pam_unix)[15314]: authentication
>         failure; logname= uid=0 euid=0 tty= ruser= rhost= 
>         Mar 11 12:01:01 smtp crond(pam_unix)[15320]: session opened for
>         user root by (uid=0)
>         Mar 11 12:01:01 smtp crond(pam_unix)[15320]: session closed for
>         user root
>         Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: check pass; user
>         unknown
>         Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: authentication
>         failure; logname= uid=0 euid=0 tty= ruser= rhost= 
>         Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: check pass; user
>         unknown
>         Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: authentication
>         failure; logname= uid=0 euid=0 tty= ruser= rhost= 
>         Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: check pass; user
>         unknown
>         Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: authentication
>         failure; 
>         
> Nowhere can I find a client IP listing. These are not logged to secure
> nor maillog. I just started logging 110 in iptables. Is that my only
> option? Have I missed something?
> 

David, 

Ethereal might help.  Close down the pop and imap ports to only those IP
addresses that are authorized.  If you don't want to see all of the
drops from iptables, don't sent through a LOG rule.

Bob...


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux