Hi, I am trying to use the logs to show the IP that brute force activity comes from, but Im not succeeding. I have read the archives and seen the advice others have had. I can see logs for repeated bad logins, but I need the IP address from the attempts.
dovecot 2.0.12 / CentOS 5.4 / imaps only (993) I have tried a bunch of different combinations of 10-logging.conf settings. This is what I have currently (that does not work the way I want): auth_verbose = yes #auth_verbose_passwords = no #auth_debug = yes #auth_debug_passwords = no #mail_debug = no I *dont* want to see the passwords, either failed or successful. I just want to see failed logins for whatever reason and the IP they came from. In /var/log/maillog I get lines like this: Oct 1 04:19:12 olive dovecot: auth: pam(marketing): unknown user Oct 1 04:19:17 olive dovecot: auth: pam(marketing): unknown user When i had debugging turned on, I would get lines like this: Sep 9 01:14:59 olive dovecot: auth: Debug: passwd(dbelan,62.128.300.94): lookup but only for successful logins. The brute force attempts dont log like that: Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1 msg=Password: Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1 msg=Password: Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): lookup service=dovecot Sep 16 00:02:57 olive dovecot: auth: Debug: pam(backup): #1/1 style=1 msg=Password: Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user No IP anywhere in that. fail2ban seems to rely on the pop-login or imap-login lines to pull the IP from. I get an imap-login for my real logins: Oct 1 12:38:56 olive dovecot: imap-login: Login: user=<dbelan>, method=PLAIN, rip=62.128.300.94, lip=204.152.189.165, mpid=20360, TLS but no similar line for the failed logins. So is this a dovecot logging configuration combination I need to find? Is it getting lost in pam? Is it specific to CentOS? Any help appreciated - happy to read up on it myself, but would need a pointer, since the docs so far either assume I get an imap-login line for failed logins which I dont, or they assume I just want to see the repeated attempts/passwords. Scott.
