Dovecot + Additional Loggin

Post Reply
knuckles
Junior Member
Posts: 12
Joined: 06 Jul 2007, 19:22
Location: Washington DC

Dovecot + Additional Loggin

Post by knuckles »

Hello,

Thank you very much for this product. We recommend it to all of our customers who request a powerful firewall that is simple to manage. I have two feature requests -- please correct me if they are already within the product.

1) Dovecot support. We typically set up our dedicated servers using Fedora or CentOS. We install PureFTP to be compliant with CSF, but we require Dovecot for POP/IMAP for a few reasons. Adding support for this would allow our dedicated servers to be completely covered by CSF.

2) The ability to change where CSF/LFD logging is output to. Our syslog is generally saturated with hits. Perhaps a few configure lines that would allow certain output to be output to different log files.

Thanks!
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

csf and lfd don't log to syslog (only to /var/log/lfd.log). If you're referring to the kernel iptables logs, then that's controlled by your settings in /etc/syslog.conf and the kernel, not by csf.
knuckles
Junior Member
Posts: 12
Joined: 06 Jul 2007, 19:22
Location: Washington DC

Post by knuckles »

Chirpy,

Sorry for digging up an old thread. Thank you for your response. Are there any plans to add Dovecot to the services that LFD monitors? Dovecot is the only service that frequently gets dictionary attacked that LFD does not block. The failure line looks something like this by default on F7:

Aug 17 11:44:12 hostname dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1
Aug 17 11:44:12 hostname dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user sfdfsdf
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

Thanks for those. I'll look at adding support for dovecot on the development list.
ajkessel
Junior Member
Posts: 15
Joined: 10 Jun 2007, 19:16

Ditto

Post by ajkessel »

dovecot/IMAP attacks are the most common unchecked brute force attacks we get. I would greatly appreciate a csf rule to block them. Thanks!
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

It will appear in csf v2.92 when it's released in the near future.
ajkessel
Junior Member
Posts: 15
Joined: 10 Jun 2007, 19:16

Wrong log file

Post by ajkessel »

It appears csf just checks /var/log/messages for dovecot aborted IMAP/POP messages; however, my dovecot logs to /var/log/imap.log. I think with others it logs to /var/log/mail.log. Can the correct log file be configured?
ajkessel
Junior Member
Posts: 15
Joined: 10 Jun 2007, 19:16

Maybe it is configured

Post by ajkessel »

Actually, on closer inspection, it looks like the source code *does* use whatever log file is specified for IMAP and POP daemon -- it is just the changelog entry that says /var/log/messages.
ajkessel
Junior Member
Posts: 15
Joined: 10 Jun 2007, 19:16

Not catching all dovecot attacks

Post by ajkessel »

I'm still getting a lot of dovecot attacks with the latest csf. I don't think it is recognizing all the various types of attacks.

E.g. -- these are in dovecot's log file:

dovecot: 2007-12-06 20:48:40 Info: pop3-login: Aborted login: rip=24.97.230.106, lip=72.1.169.236
dovecot: 2007-12-06 20:48:41 Info: pop3-login: Aborted login: user=<trace>, method=PLAIN, rip=24.97.230.106, lip=72.1.169.236
dovecot: 2007-12-06 20:48:42 Info: pop3-login: Aborted login: user=<webmaster>, method=PLAIN, rip=24.97.230.106, lip=72.1.169

these are in auth.log:

Dec 6 20:49:02 bostoncoop dovecot-auth: (pam_unix) check pass; user unknown
Dec 6 20:49:02 bostoncoop dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=24
.97.230.106
Dec 6 20:49:06 bostoncoop dovecot-auth: (pam_unix) check pass; user unknown
Dec 6 20:49:06 bostoncoop dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=24
.97.230.106
Post Reply