[BlueOnyx:13101] Re: dovecot not registering with failed logins?

Roy Urick rurick at usa.net
Fri May 24 10:45:17 -05 2013 

ran Pam_abl. doesnt make sense to me. I would expect the hits at the top 
to register under failed hosts.

May 24 11:26:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<vinnie at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:26:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<viola at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:26:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<violet at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:27:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<violeta at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:27:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<virgil at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:27:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<virginia at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:28:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<vivian at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:28:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<vivianne at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:28:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<vlad at fire-house.net>, method=PLAIN, rip=117.79.91.80, 
lip=172.16.102.252
May 24 11:29:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<vladimir at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:29:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<wade at fire-house.net>, method=PLAIN, rip=117.79.91.80, 
lip=172.16.102.252
May 24 11:29:51 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<walker at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:30:11 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<wallace at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:30:31 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<wally at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
May 24 11:30:51 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<walt at fire-house.net>, method=PLAIN, rip=117.79.91.80, 
lip=172.16.102.252
May 24 11:31:11 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
1 attempts): user=<walter at fire-house.net>, method=PLAIN, 
rip=117.79.91.80, lip=172.16.102.252
^C
[root at BlueOnyx log]# pam_abl
Failed users:
     admin (3)
         Not blocking
     drew (6)
         Not blocking
Failed hosts:
     gw.koorsen.com (3)
         Not blocking
[root at BlueOnyx log]#

as a side note, my sonicwall already set to "deny any" from that IP, but 
traffic still flows.  grrr!

On 5/24/2013 10:21 AM, Eric Peabody wrote:
> Roy,
>
> Your server's settings will determine if this attack will be blocked.
> Check under Security/Login Manager and see the Host rules.  They may
> need to be adjusted.
>
> If that looks ok, try running pam_abl as root from the command line and
> see if you get any errors.  If you do, you may need to delete the files
> it uses.  If you delete the files, they will be recreated
> automatically.  I mention this because I've seen these files become
> corrupted and deleting them was the only fix I could find.
>
> Eric
>
> On 5/24/13 8:46 AM, Roy Urick wrote:
>> during troubleshooting of a new server install, I noticed one single IP
>> slowly doing a dictionary attack of sorts against pop. (one attempt
>> every 30-6 seconds, user name is incrementing alphabetically)
>>
>> Even though I see all of these attempts from the one IP, that host isnt
>> showing in the failed logins GUI. Normal?
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at mail.blueonyx.it
>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list