LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-07-2008, 04:09 AM   #1
3dMaster
LQ Newbie
 
Registered: Jan 2008
Posts: 23

Rep: Reputation: 15
Exclamation Strange dovecot logs (check pass; user unknown)


Hi all,
I have a strange problem with my mailserver. It is more than a week now, that i noticed a strange kind of error in the dovecot logs.
There are many of these:

Apr 7 10:42:37 host1 dovecot(pam_unix)[4339]: check pass; user unknown
Apr 7 10:42:37 host1 dovecot(pam_unix)[4339]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

It seems like someone is trying to guess a password, but for which user?
It is almost surely an automated program because it tries every 3 or 4 seconds.
These errors are about 500 a day (most of the times 468...)

How can I increase the logging level for this application?
I tried to enable all verbose options in /etc/dovecot.conf, but i would like at least to see from which IP address they come from.
Maybe somewhere in pam.d, I don't know it very well.

No one has this kind of error?
Thank you in advance

Last edited by 3dMaster; 04-07-2008 at 04:32 AM.
 
Old 04-11-2008, 07:42 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Looking around I can find only two situations for which the "servicename (pam_unix)[PID]: check pass; user unknown" is valid: using an old PAM version or if the PAM stack involves auth retrieving credentials from a database before hitting pam_unix. If that doesn't apply to you, the config and log examples show dovecot can log to several logfiles (depending on its config and syslog config) so maybe you haven't checked other logs like auth or maillog? If that doesn't apply to you and you can't extract more nfo from Dovecot logging or syslog, then from a network point of view packets hit the interface and traverse Netfilter before hitting the application, so you can use tcpdump to capture packets (with a BPF filter to make it log less) or better, use iptables rules to single out, log and block offending IP addresses: check out the "recent" module.
 
Old 04-14-2008, 03:55 AM   #3
3dMaster
LQ Newbie
 
Registered: Jan 2008
Posts: 23

Original Poster
Rep: Reputation: 15
Well, my pam is indeed an old version, something like 0.77, but i use passwd for the authentication, so the first should not apply to my situation.

From the network point of view, when this errors appears, there seems to be no strange connection from outside, except for the usual office or other well known IP addresses. I checked the firewall logs, but i will also try tcpdump

In the end I suspect it is a local process, but i cannot find it because when i see the error log it immediately disappears...

Is there a way to catch the pid and have useful information, or do i have to write a script for this?
 
Old 04-14-2008, 07:24 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by 3dMaster View Post
In the end I suspect it is a local process, but i cannot find it because when i see the error log it immediately disappears...
Is there a way to catch the pid and have useful information, or do i have to write a script for this?
AFAIK there is no link between network connections and local processes other than the kernel provides through /proc/net/netstat (netstat, fuser, lsof, sockstat). Using an in-kernel tracer like Syscalltrace (2.4-only), LTT or Systemtap may be too invasive, Auditd (-S socketcall) can't log network details and matching PIDs to network connections won't work (AFAIK) with either PAM or tcpdump. While I could easily be missing something easy to use (like something to LD_PRELOAD), I think most tools are either not interested in (or too high or too low in the stack) matching PIDs with connections or won't log all details you would like. Meaning you'll be limited to pinpoint by recurrence, the 468 times p/d you described...

Two of the easiest things I can think of right now could be either using the iptables "owner" module (if not by filtering directly then by indirect filtering out all users, processes or session IDs that aren't suspected and beware it may be process over loopback device and you should set the scope of logging to port and address to avoid a logging avalanche) or something with PAM (maybe running the stack with debug on or a PAM_script only if it can determine PID could help). OTOH if your stuff is "old" then maybe upgrading (see changelogs), reviewing your Dovecot logging options and any cronjobs (recurrence once per three-ish minutes?) could save time TS'ing this...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
perl pass regex check as an argument lord-fu Programming 2 08-29-2007 02:55 PM
rpmbuild --with : mysql - unknown option. How to pass extra options to build? fireman949 Red Hat 0 07-06-2005 06:53 PM
Firefox logs user out? Where are error logs? case1984 Linux - General 0 10-09-2004 02:22 PM
reset unknown root pass in redhat art15t Linux - Software 5 10-09-2003 01:59 AM
Logs + Unknown Restats nadnodbe Linux - General 3 05-05-2003 04:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration