[BlueOnyx:10114] Re: Dovecot error

Chuck Tetlow chuck at tetlow.net
Wed Apr 11 12:55:32 -05 2012 

Check your /var/log/maillog and /var/log/secure files.  Your server may be under attack.  That's the same symptoms you get when someone is trying to guess user passwords with POP3.

You can also detect it by looking at "netstat -na | more" for a lot of port 110 connections coming from the same remote IP address.  And look at "ps ax | more" for a lot of "POP login" entries and "dovecot-auth" entries.  Either one will indicate a lot of POP authentication attempts, and enough of them fast enough will break the authentication mechanism.

If you do detect a attach, the first thing is to lock them out.  Use the firewall rule "iptables -I acctin 1 -s x.x.x.x/32 -j DROP" (replace the x.x.x.x with the IP of the attacker found in the logs or netstat output).  That will lock out that IP and end the attack.  That rule will go away the next time you reboot - but that's usually long enough for the script kiddies to move on to other targets.

After locking out a attacker, use the following commands to reset your POP and SMTP services:
service sendmail stop
service dovecot stop
killall -9 sendmail
killall -9 dovecot-auth
killall -9 pop3-login
service dbrecover stop
service auditd restart
service dbrecover start
service saslauthd restart
service dovecot start
service sendmail start

That should reset all services needed and get your users back in for their e-mail.

Chuck

---------- Original Message -----------
From: "Michael Aronoff" <maronoff at gmail.com> 
To: "BlueOnyx General Mailing List" <blueonyx at blueonyx.it> 
Sent: Wed, 11 Apr 2012 10:28:16 -0700 
Subject: [BlueOnyx:10113]  Dovecot error

> I am getting strange errors on just a couple of users when they try to check mail.
>  
> In the logs I see:
> Apr 11 09:15:26 tc auth: pam_succeed_if(dovecot:auth): error retrieving information about user aqua
>  
> If I reboot they can then check email for a while.
>  
> Has anyone seen this?
>  
> M Aronoff
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20120411/96eb5a5d/attachment.html>

More information about the Blueonyx mailing list