Re: [Dovecot] Dovecot won't stay running

2007-06-22 Thread Jon Slater 
Jochen,

You are AWESOME!!!  Thank you!!!

Since I knew the exact time that the server died, I was able to find:

Jun 22 01:27:56 servername dovecot: Time just moved backwards by 37 seconds.
This might cause a lot of problems, so I'll just kill myself now.
http://wiki.dovecot.org/TimeMovedBackwards

I knew if I could find the logs, I'd figure it out!

Much appreciated!

Jon


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 On Behalf Of Jochen Schulz
 Sent: Friday, June 22, 2007 7:48 AM
 To: dovecot@dovecot.org
 Subject: Re: [Dovecot] Dovecot won't stay running
 
 Jon Slater schrieb:
 
  So I got the same suggestion several times, and I upgraded to Dovecot
 1.0.1.
 
  At 1:27am and again at 5:23am Dovecot stopped running.  My cron was
 able to
  restart the service in both instances, but how do I debug why this is
  happening?
 
 Take a look at http://wiki.dovecot.org. It contains useful instructions
 for debugging.
 
 J.
 
 No virus found in this incoming message.
 Checked by AVG Free Edition.
 Version: 7.5.472 / Virus Database: 269.9.4/860 - Release Date:
 6/21/2007 5:53 PM
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.9.4/860 - Release Date: 6/21/2007
5:53 PM

[Dovecot] Dovecot won't stay running

2007-06-21 Thread Jon Slater 
This weekend I upgraded my OS from FC4 to FC6.  At the same time I updated
Dovecot from 0.99 to 1.0.0.

Now, dovecot periodically shuts off.

It will run fine for several hours then just dies.

Right now my solution is to run a cron every 5 minutes to see if it’s still
running, and if not, re-start it. 

I’m also having trouble finding any sort of meaningful logs to tell me
what’s going on.

Where should I start?

Thanks in advance!

Jon


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.9.2/858 - Release Date: 6/21/2007
1:46 PM

[Dovecot] dovecot under attack

2007-06-16 Thread Jon Slater 
Hi,

 

I’ve posted this before but no one was able to help.  I can’t figure out
what they are trying to do, and if I should be concerned.

 

I am running dovecot version 0.99.14 on Fedora Core 4.  It appears that my
dovecot server is under attack.  This morning in my system e-mail I saw
this:



 dovecot:

 Authentication Failures:

 rhost= : 23431 Time(s)

adm: 33 Time(s)

bin: 33 Time(s)

mail: 33 Time(s)

mysql: 21 Time(s)

nobody: 15 Time(s)

news: 14 Time(s)

operator: 8 Time(s)

sshd: 2 Time(s)

 Unknown Entries:

check pass; user unknown: 23431 Time(s)

 

But, when I check my log files I can’t find an IP address for the attacker.
So, for example, if I search my logs for “operator” I see:

./messages:Jun 15 23:30:56 lambdacenter dovecot(pam_unix)[15512]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:00 lambdacenter dovecot(pam_unix)[15670]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:16 lambdacenter dovecot(pam_unix)[16332]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:20 lambdacenter dovecot(pam_unix)[16480]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:27 lambdacenter dovecot(pam_unix)[16695]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:38 lambdacenter dovecot(pam_unix)[16884]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:55 lambdacenter dovecot(pam_unix)[17080]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:32:11 lambdacenter dovecot(pam_unix)[17182]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./audit/audit.log:type=USER_AUTH msg=audit(1181971858.967:156312): user
pid=15512 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe=/usr/libexec/dovecot/dovecot-auth (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971862.772:156382): user
pid=15670 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe=/usr/libexec/dovecot/dovecot-auth (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971878.710:156707): user
pid=16332 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe=/usr/libexec/dovecot/dovecot-auth (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971882.379:156775): user
pid=16480 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe=/usr/libexec/dovecot/dovecot-auth (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971908.712:156879): user
pid=16695 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe=/usr/libexec/dovecot/dovecot-auth (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181972032.080:156904): user
pid=16884 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe=/usr/libexec/dovecot/dovecot-auth (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181972047.607:156917): user
pid=17080 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe=/usr/libexec/dovecot/dovecot-auth (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181972066.325:156928): user
pid=17182 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe=/usr/libexec/dovecot/dovecot-auth (hostname=?, addr=?, terminal=?
result=Authentication failure)'

 

I’ve checked my snmplog for port activity on port 110 (for POP3) and 143
(for IMAP), but I don’t see anything unusual.  I also systematically
filtered out everything I knew was okay (ssh, and httpd) .

 

Does anyone know what this is?  Or someone I could ask?

 

Thanks

 

Jon


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.17/850 - Release Date: 6/15/2007
11:31 AM

[Dovecot] What are they trying to do here?

2007-05-30 Thread Jon Slater 
Hi!

 

I’m new to the list, and I’m not really having a ‘problem’, but I’m seeing
something in my log files that I wonder if I should be concerned.

 

I’ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel
2.6.17-1.2142_FC4) machine from quite some time.

 

For the last few days, I’ve been seeing this in my daily ‘Logwatch’ e-mail:

dovecot:

Authentication Failures:

rhost= : 139 Time(s)

   root: 13 Time(s)

Unknown Entries:

   check pass; user unknown: 139 Time(s)

 

So it looks pretty obvious that someone (using root and an assortment of
other login names) is trying to access by dovecot server.

 

My first ‘issue’ is I can’t find a log file anywhere that tells me the IP
address of the attacker.  I see a series of ‘authentication failure’
messages in my /log/messages file:

 

May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root

May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: check pass; user
unknown

May 29 21:23:35 mydomainname dovecot(pam_unix)[15318]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost= 

May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: check pass; user
unknown

May 29 21:23:36 mydomainname dovecot(pam_unix)[15320]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=

 

But I don’t find anything in any other log files to indicate where this is
coming from.

 

Secondly, I’m wondering if I have anything to be concerned about.

 

Thanks in advance for you help!

 

Jon


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.3/824 - Release Date: 5/29/2007
1:01 PM