[BlueOnyx:11278] Re: show all login failures?

Roy Urick rurick at usa.net
Wed Sep 5 10:55:06 -05 2012 

That would make sense. We also have users that even after repeatedly changing both their mailbox and outlook passwords to verify they are correct they still can't pop mail. But they can login via openwebmail. 

I'll restart dovecot and see if that helps. 



Sent from my iPhone

On Sep 5, 2012, at 11:37 AM, Michael Stauber <mstauber at blueonyx.it> wrote:

> Hi Roy,
> 
>> We started seeing the host blocks kick in yesterday against the IP of
>> our corporate firewall.
>> 
>> At first we thought it was the conversion we are doing and that the
>> server running popcon was causing failures due to accounts with bad
>> passwords. However when I tail the maillog and grep for “(auth failed”
>> the number of failures doesn’t match the failure count on the server
>> gui. The server is reporting approximately 2-3 failed logins for every
>> auth failed line we see in the maillog.
>> 
>> I have dug around the other logfiles in that directory and don’t see any
>> other failed login references. Also the gui doesn’t seem to pace the
>> errors in maillog exactly as its incrementing faster than the logfile.
>> 
>> Where else do I look to figure out what could be causing the login failures?
> 
> Yeah, /var/log/secure (as Gerald suggested) is another place to check.
> 
> The thing here is that pam_abl ties into the authentication mechanism.
> So you see only the failed logins that reach PAM and are recorded there.
> 
> Additionally Dovecot itself does some caching for login credentials and
> has it's own brute force detection mechanism, which will block repeated
> failed login attempts eventually.
> 
> It is sometimes not clear at which stage the cache, the dovecot blocking
> and the PAM_ABL related blocking may kick in. That also depends on the
> login behavior of the attacker, or if it is a distributed attack from
> several different IP's.
> 
> When in doubt, restart Dovecot, which will temporarily clear the cache
> and any temporal blocks that Dovecot itself set up while it was running.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list