Re: Blacklist & Whilelist IP's from server?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/05/2005 05:28 AM, Alexander Dalloz wrote:
> pam_abl would/should only blacklist those hosts or users with over the
> limit failed login/auth attempts. You say each IMAP connection to the
> dovecot server triggers a failed attempt and leads to blocking the user?

Yes. Here is the result of 'pam_abl -v' shortly after user magnus was
denied access.

Reading config from /etc/security/pam_abl.conf
Failed users:
    lars (9)
        Sat Aug  6 07:55:06 2005
        Fri Aug  5 10:30:01 2005
        Thu Aug  4 23:04:18 2005
        Thu Aug  4 22:31:40 2005
        Thu Aug  4 22:31:36 2005
        Thu Aug  4 22:31:34 2005
        Thu Aug  4 22:31:33 2005
        Thu Aug  4 22:31:21 2005
        Thu Aug  4 22:30:02 2005
    magnus (40)
        Sat Aug  6 14:07:09 2005
        Sat Aug  6 14:07:04 2005
        Sat Aug  6 14:01:31 2005
        Sat Aug  6 13:59:29 2005
        Sat Aug  6 13:57:28 2005
        Sat Aug  6 13:55:27 2005
        Sat Aug  6 13:53:20 2005
        Sat Aug  6 13:51:03 2005
        Sat Aug  6 13:49:01 2005
        Sat Aug  6 13:45:00 2005
        Sat Aug  6 13:44:58 2005
        Fri Aug  5 20:48:54 2005
        Fri Aug  5 20:46:52 2005
        Fri Aug  5 20:44:32 2005
        Fri Aug  5 20:42:30 2005
        Fri Aug  5 20:40:25 2005
        Fri Aug  5 20:38:14 2005
        Fri Aug  5 20:38:13 2005
        Fri Aug  5 18:37:02 2005
        Fri Aug  5 18:36:58 2005
        Fri Aug  5 18:35:02 2005
        Fri Aug  5 18:34:58 2005
        Fri Aug  5 18:32:56 2005
        Fri Aug  5 18:32:51 2005
        Fri Aug  5 18:14:29 2005
        Fri Aug  5 18:12:11 2005
        Fri Aug  5 18:10:07 2005
        Fri Aug  5 18:07:48 2005
        Fri Aug  5 18:05:55 2005
        Fri Aug  5 18:05:54 2005
        Fri Aug  5 17:51:43 2005
        Fri Aug  5 17:47:27 2005
        Fri Aug  5 17:45:09 2005
        Fri Aug  5 17:43:07 2005
        Fri Aug  5 17:41:12 2005
        Fri Aug  5 17:41:10 2005
        Thu Aug  4 22:05:33 2005
        Thu Aug  4 22:03:29 2005
        Thu Aug  4 22:01:26 2005
        Thu Aug  4 22:01:22 2005
Failed hosts:
------------

And here is the result of 'grep imap /var/log/maillog'

Aug  4 21:45:32 server imap-login: Disconnected [81.216.166.177]
Aug  4 21:46:11 server imap-login: Disconnected [81.216.166.177]
Aug  4 22:01:22 server imap-login: Login: magnus [81.216.166.177]
Aug  4 22:01:26 server imap-login: Login: magnus [81.216.166.177]
Aug  4 22:03:29 server imap-login: Login: magnus [81.216.166.177]
Aug  4 22:05:33 server imap-login: Login: magnus [81.216.166.177]
Aug  4 22:28:23 server imap-login: Aborted login [127.0.0.1]
Aug  4 22:30:02 server imap-login: Aborted login [127.0.0.1]
Aug  4 22:31:21 server imap-login: Aborted login [127.0.0.1]
Aug  4 22:31:33 server imap-login: Login: lars [127.0.0.1]
Aug  4 22:31:40 server imap-login: Login: lars [127.0.0.1]
Aug  4 23:04:18 server imap-login: Login: lars [192.168.0.9]
Aug  5 10:30:01 server imap-login: Login: lars [192.168.0.9]
Aug  5 17:41:10 server imap-login: Login: magnus [81.216.166.177]
Aug  5 17:41:12 server imap-login: Login: magnus [81.216.166.177]
Aug  5 17:43:07 server imap-login: Login: magnus [81.216.166.177]
Aug  5 17:45:09 server imap-login: Login: magnus [81.216.166.177]
Aug  5 17:47:27 server imap-login: Login: magnus [81.216.166.177]
Aug  5 17:51:43 server imap-login: Login: magnus [81.216.166.177]
Aug  5 18:05:54 server imap-login: Login: magnus [81.216.166.177]
Aug  5 18:10:07 server imap-login: Login: magnus [81.216.166.177]
Aug  5 18:12:13 server imap-login: Disconnected [81.216.166.177]
Aug  5 18:14:30 server imap-login: Disconnected [81.216.166.177]
Aug  5 18:32:53 server imap-login: Disconnected [81.216.166.177]
Aug  5 18:35:03 server imap-login: Disconnected [81.216.166.177]
Aug  5 18:36:59 server imap-login: Disconnected [81.216.166.177]
Aug  5 18:37:59 server imap-login: Disconnected: Inactivity [81.216.166.177]
Aug  5 20:38:13 server imap-login: Login: magnus [81.216.166.177]
Aug  5 20:42:30 server imap-login: Login: magnus [81.216.166.177]
Aug  5 20:44:32 server imap-login: Login: magnus [81.216.166.177]
Aug  5 20:46:52 server imap-login: Login: magnus [81.216.166.177]
Aug  5 20:48:54 server imap-login: Login: magnus [81.216.166.177]
Aug  6 07:55:06 server imap-login: Login: lars [192.168.0.9]
Aug  6 13:44:58 server imap-login: Login: magnus [81.216.166.177]
Aug  6 13:45:00 server imap-login: Login: magnus [81.216.166.177]
Aug  6 13:49:01 server imap-login: Login: magnus [81.216.166.177]
Aug  6 13:51:03 server imap-login: Login: magnus [81.216.166.177]
Aug  6 13:53:20 server imap-login: Login: magnus [81.216.166.177]
Aug  6 13:55:28 server imap-login: Disconnected [81.216.166.177]
Aug  6 13:57:36 server imap-login: Disconnected [81.216.166.177]
Aug  6 14:00:06 server imap-login: Disconnected [81.216.166.177]
Aug  6 14:02:28 server imap-login: Disconnected: Inactivity [81.216.166.177]
Aug  6 14:07:06 server imap-login: Disconnected [81.216.166.177]
Aug  6 14:07:10 server imap-login: Disconnected [81.216.166.177]
-------------

As you can see even the successful logins seem to be counted.

> The PAM setup looks proper. What did you configure with pam_abl.conf?

At the moment, nothing, it is the default.

Nothing in the dovecot.conf file, regarding authorizing, have been changed.

I will see if I can find something here causing this, if not I will put
it all into bugzilla.

Lars
-- 
Lars E. Pettersson <lars@xxxxxxxx>
http://www.sm6rpz.se/
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux