• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Log password failures

DEEPAK MHATRE

New Pleskian
I have installed fail2ban on plesk Linux server using Postfix and dovecot

I want to know which email id is sending wrong password , below is current log

Feb 26 18:34:48 linux dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, session=<LPCc8ass/QByj8TP>

We have enabled following in dovecot.conf but still it is not showing email id which is failing

auth_verbose = yes
auth_debug = yes

Do we have to enable auth_debug_passwords = yes
 
The user they are submitting would be here 'user=<>' and as there is nothing between the brackets it indicates the mail client isn't supplying the username in which case you only have the IP address to track it down by. Enabling debug mode won't help as its never supplied. Hope that helps.
 
I could manage to get login name of user whose email client sending wrong password by enabling line below line in /etc/dovecot/dovecot.conf

auth_verbose = yes

enable auth_debug_passwords = yes is not necessarry
 
In this case there's probably no login name to log, the client is probably misconfigured. Or it may as well be a malicious bot, but if the bot tries to brute-force into your server you should see "Aborted login" instead of Disconnected". Here the client connects to the pop3 port but may not send any protocol specific command, just disconnects 2 seconds later. For example:
1. On the client I run:
echo "" | nc localhost 110
+OK Dovecot ready.
-ERR Unknown command.
2. On the server (same machine) I get:
May 11 16:57:11 centos6xen dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<elkIjYsypAAAAAAAAAAAAAAAAAAAAAAB>
The could be several reasons for this type of log entries, you shouldn't get fail2ban to match the empty user without doing some more analysis. We've seen plenty of occasions where the empty Dovecot login is caused by misconfigured legitimate clients.
 
Back
Top