Good time of the day, Igor.
Thank You, Igor, for Your time and answer. If You have any farther ideas, please share it w/ me. You wrote: > > > > localhost auth: pam_unix(dovecot:auth): authentication failure; > > > > logname= uid=0 euid=0 tty=dovecot ruser=null rhost=91.201.64.249 > > > > > It means someone tried to login to your webmail as root from > > > outside. I get lots of them all the time usually bot attacks. > > > > Can You extend a bit Your answer? > > > > Obviously you have public access to your mail server via webmail of > kind right? And you have username/password login screen and thats > where the login as root has failed. No! And that's the problem - if I had such an access allowed - no questions, but I manage the server myself directly (changing conf. files manually). And firewall does not allow access from the IP to dovecot (see bellow, please). But let's withdraw from this idea - as how it changed - for there can be a lot of possible ways. Could please explain exactly what that string mean OR may You give me a link specifying that? - I've checked man.s on pam_unix and pam - did not find explanations on those variables, nor web search gave me the desired explanation. Here I can not understand: did they connect remotely fooling my firewall somehow (probably as if from my local network) OR it was done through a local process and therefore I have probably a back door on the machine. > > 1. Here "uid=0" and "ruser=null" - does it mean that the attack was > > made w/ root privileges and only dovecot user "null" was used? OR > > It means that dovecot runs w/ root privileges? > > > > 2. "rhost=91.201.64.249" means that attack was made not by local > > process? > > > > 3. Do You have any idea how firewall could pass that connection > > since only local network host are permitted to connect on 110 port? > > - I mean is there any trick by which firewall could be fooled by > > remote host masking as if it has local IP and at PAM being > > discovered - it is from remote network? Again, thank You for You answer/ideas. Sthu. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51065851.0369980a.340c.ffffa...@mx.google.com
