[BlueOnyx:11277] Re: show all login failures?

[Michael Stauber]

Hi Roy,

> We started seeing the host blocks kick in yesterday against the IP of
> our corporate firewall.
> 
> At first we thought it was the conversion we are doing and that the
> server running popcon was causing failures due to accounts with bad
> passwords. However when I tail the maillog and grep for “(auth failed”
> the number of failures doesn’t match the failure count on the server
> gui. The server is reporting approximately 2-3 failed logins for every
> auth failed line we see in the maillog.
> 
> I have dug around the other logfiles in that directory and don’t see any
> other failed login references. Also the gui doesn’t seem to pace the
> errors in maillog exactly as its incrementing faster than the logfile.
> 
> Where else do I look to figure out what could be causing the login failures?

Yeah, /var/log/secure (as Gerald suggested) is another place to check.

The thing here is that pam_abl ties into the authentication mechanism.
So you see only the failed logins that reach PAM and are recorded there.

Additionally Dovecot itself does some caching for login credentials and
has it's own brute force detection mechanism, which will block repeated
failed login attempts eventually.

It is sometimes not clear at which stage the cache, the dovecot blocking
and the PAM_ABL related blocking may kick in. That also depends on the
login behavior of the attacker, or if it is a distributed attack from
several different IP's.

When in doubt, restart Dovecot, which will temporarily clear the cache
and any temporal blocks that Dovecot itself set up while it was running.

-- 
With best regards

Michael Stauber