[BlueOnyx:13103] Re: dovecot not registering with failed logins?

Gerald Waugh gwaugh at frontstreetnetworks.com
Fri May 24 11:06:37 -05 2013 

/sbin/iptables -I INPUT -s 117.79.91.80 -d 0/0 -j DROP

On 05/24/2013 10:45 AM, Roy Urick wrote:
> ran Pam_abl. doesnt make sense to me. I would expect the hits at the top 
> to register under failed hosts.
>
> May 24 11:26:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<vinnie at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:26:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<viola at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:26:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<violet at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:27:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<violeta at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:27:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<virgil at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:27:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<virginia at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:28:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<vivian at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:28:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<vivianne at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:28:49 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<vlad at fire-house.net>, method=PLAIN, rip=117.79.91.80, 
> lip=172.16.102.252
> May 24 11:29:09 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<vladimir at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:29:29 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<wade at fire-house.net>, method=PLAIN, rip=117.79.91.80, 
> lip=172.16.102.252
> May 24 11:29:51 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<walker at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:30:11 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<wallace at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:30:31 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<wally at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> May 24 11:30:51 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<walt at fire-house.net>, method=PLAIN, rip=117.79.91.80, 
> lip=172.16.102.252
> May 24 11:31:11 BlueOnyx dovecot: pop3-login: Disconnected (auth failed, 
> 1 attempts): user=<walter at fire-house.net>, method=PLAIN, 
> rip=117.79.91.80, lip=172.16.102.252
> ^C
> [root at BlueOnyx log]# pam_abl
> Failed users:
>      admin (3)
>          Not blocking
>      drew (6)
>          Not blocking
> Failed hosts:
>      gw.koorsen.com (3)
>          Not blocking
> [root at BlueOnyx log]#
>
> as a side note, my sonicwall already set to "deny any" from that IP, but 
> traffic still flows.  grrr!
>
> On 5/24/2013 10:21 AM, Eric Peabody wrote:
>> Roy,
>>
>> Your server's settings will determine if this attack will be blocked.
>> Check under Security/Login Manager and see the Host rules.  They may
>> need to be adjusted.
>>
>> If that looks ok, try running pam_abl as root from the command line and
>> see if you get any errors.  If you do, you may need to delete the files
>> it uses.  If you delete the files, they will be recreated
>> automatically.  I mention this because I've seen these files become
>> corrupted and deleting them was the only fix I could find.
>>
>> Eric
>>
>> On 5/24/13 8:46 AM, Roy Urick wrote:
>>> during troubleshooting of a new server install, I noticed one single IP
>>> slowly doing a dictionary attack of sorts against pop. (one attempt
>>> every 30-6 seconds, user name is incrementing alphabetically)
>>>
>>> Even though I see all of these attempts from the one IP, that host isnt
>>> showing in the failed logins GUI. Normal?
>>> _______________________________________________
>>> Blueonyx mailing list
>>> Blueonyx at mail.blueonyx.it
>>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at mail.blueonyx.it
>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>


-- 
Gerald Waugh
Front Street Networks
(318) 734-4779
(318) 401-0428

More information about the Blueonyx mailing list