I just enabled logging and realized that the default permissions for the logging directory are set to 666. Now, since the pop3 logs contain passwords, I deem this to be a major security hole. Anyone having a guest account or having even acquired non-root access to my system would be able to extract account information in the clear.
I have set permissions on /var/MailRoot/logs to 600 - I also recommend setting the sticky bit (chmod -t) in order to prevent rogue intruders from deleting log files they can't read, but know contain information about their security violations. Michael --- "Seth A. Munroe" <[EMAIL PROTECTED]> wrote: > > there's a logs directory under the MailRoot. You > have to enable logs with > either a command line option or registry setting to > get the logs. I saw the > login attempts in the pop3- log. > > The pop3 log seems to have 6 fields: > 1 - hostname > 2 - domain attempting to login to > 3 - ip address of client attempting login > 4 - date/time > 5 - user ID > 6 - password (as sent - so clear text if that's how > client sent password) > > Here's the link to starting up logging: > http://www.xmailserver.org/Readme.html#command%20line > > You need a a value something like this: > > -Mr 336 -Pl -Sl -Ql -Fl -Cl -Ll > > That will turn on logging for all services and cycle > a new log every 336 > hours. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > Michael Mehrle > Sent: Monday, January 13, 2003 1:49 PM > To: [EMAIL PROTECTED] > Subject: [xmail] Re: lockout ip for bad passwords? > > > > Where are those logs located? What's the best way to > monitor those logs? I have not found any xmail > compatible software that would allow me to monitor > thee types of activities from my Windows system at > home. > > Michael > > > --- "Seth A. Munroe" > <[EMAIL PROTECTED]> wrote: > > > > Is there a setting to lock out an IP address after > a > > number of consecutive > > failed logins? > > > > Someone was trying to guess passwords on my server > > last week > > (unsuccessfully). When I went through the logs I > saw > > 150 attempts in about a > > 1 minute time span to guess the passwords. It > tried > > 10 different common > > account names each with 15 common passwords. I saw > > this by going through my > > POP3 logs. > > > > What I'm looking for is a way to block logins from > > an ip that has issued > > more than say 5 failed logins in a row - even if > > they were 5 attempts at > > different accounts. It would be great if it could > > have a time period set on > > it too - so it just disabled it for 15 minutes for > > example. > > > > -Seth > > > > > > - > > To unsubscribe from this list: send the line > > "unsubscribe xmail" in > > the body of a message to [EMAIL PROTECTED] > > For general help: send the line "help" in the body > > of a message to > > [EMAIL PROTECTED] > > > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up > now. > http://mailplus.yahoo.com > - > To unsubscribe from this list: send the line > "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body > of a message to > [EMAIL PROTECTED] > > > > - > To unsubscribe from this list: send the line > "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body > of a message to > [EMAIL PROTECTED] > __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
