On Sat, 19 May 2012 14:05:41 -0600, Glenn English wrote: > I am getting many, many entries in auth.log like these: > > /var/log/auth.log:May 17 13:31:14 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=webmaster rhost= > /var/log/auth.log:May 17 13:31:20 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=webmaster rhost= > /var/log/auth.log:May 18 03:39:14 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=jkhhlkjh rhost=
(...) Is your Dovecot publicly accesible? I also get login tries in my Cyrus coming from the outside, they're usually from automated bots running on zombi windows machines... if that's the case, you can apply counter-measures to cut these kind of attacks, for instance, by installing fail2ban or denyhosts (also, some routers allow to define rules to block/filter by specific syn/ack traffic). But being your "rhost" empty... it does not sound good :-( You can also take a look at the mailog to check pop3/imap logins, but I don't know where Dovecot sends these... "/var/log/mail.log"? > Over on SDLU, I was told the empty "rhost=" looks like there is a Trojan > using a socket on my email host. I knew nothing about sockets -- not > much more now. Can anyone tell me how to find it and squash it? (...) Yes, that's suspicious. You can also run rkhunter to scan your system. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jp9069$27j$2...@dough.gmane.org
