Page 1 of 1
Dovecot + Additional Loggin
Posted: 06 Jul 2007, 19:27
by knuckles
Hello,
Thank you very much for this product. We recommend it to all of our customers who request a powerful firewall that is simple to manage. I have two feature requests -- please correct me if they are already within the product.
1) Dovecot support. We typically set up our dedicated servers using Fedora or CentOS. We install PureFTP to be compliant with CSF, but we require Dovecot for POP/IMAP for a few reasons. Adding support for this would allow our dedicated servers to be completely covered by CSF.
2) The ability to change where CSF/LFD logging is output to. Our syslog is generally saturated with hits. Perhaps a few configure lines that would allow certain output to be output to different log files.
Thanks!
Posted: 13 Jul 2007, 10:10
by chirpy
csf and lfd don't log to syslog (only to /var/log/lfd.log). If you're referring to the kernel iptables logs, then that's controlled by your settings in /etc/syslog.conf and the kernel, not by csf.
Posted: 17 Aug 2007, 16:42
by knuckles
Chirpy,
Sorry for digging up an old thread. Thank you for your response. Are there any plans to add Dovecot to the services that LFD monitors? Dovecot is the only service that frequently gets dictionary attacked that LFD does not block. The failure line looks something like this by default on F7:
Aug 17 11:44:12 hostname dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1
Aug 17 11:44:12 hostname dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user sfdfsdf
Posted: 22 Aug 2007, 10:35
by chirpy
Thanks for those. I'll look at adding support for dovecot on the development list.
Ditto
Posted: 19 Nov 2007, 14:52
by ajkessel
dovecot/IMAP attacks are the most common unchecked brute force attacks we get. I would greatly appreciate a csf rule to block them. Thanks!
Posted: 19 Nov 2007, 17:58
by chirpy
It will appear in csf v2.92 when it's released in the near future.
Wrong log file
Posted: 22 Nov 2007, 15:32
by ajkessel
It appears csf just checks /var/log/messages for dovecot aborted IMAP/POP messages; however, my dovecot logs to /var/log/imap.log. I think with others it logs to /var/log/mail.log. Can the correct log file be configured?
Maybe it is configured
Posted: 22 Nov 2007, 15:37
by ajkessel
Actually, on closer inspection, it looks like the source code *does* use whatever log file is specified for IMAP and POP daemon -- it is just the changelog entry that says /var/log/messages.
Not catching all dovecot attacks
Posted: 07 Dec 2007, 02:24
by ajkessel
I'm still getting a lot of dovecot attacks with the latest csf. I don't think it is recognizing all the various types of attacks.
E.g. -- these are in dovecot's log file:
dovecot: 2007-12-06 20:48:40 Info: pop3-login: Aborted login: rip=24.97.230.106, lip=72.1.169.236
dovecot: 2007-12-06 20:48:41 Info: pop3-login: Aborted login: user=<trace>, method=PLAIN, rip=24.97.230.106, lip=72.1.169.236
dovecot: 2007-12-06 20:48:42 Info: pop3-login: Aborted login: user=<webmaster>, method=PLAIN, rip=24.97.230.106, lip=72.1.169
these are in auth.log:
Dec 6 20:49:02 bostoncoop dovecot-auth: (pam_unix) check pass; user unknown
Dec 6 20:49:02 bostoncoop dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=24
.97.230.106
Dec 6 20:49:06 bostoncoop dovecot-auth: (pam_unix) check pass; user unknown
Dec 6 20:49:06 bostoncoop dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=24
.97.230.106