PROPOSAL: New signature for Dovecot

Create issue
Issue #107 open
Gerard Seibert created an issue

SSHguard 2.2.0 FreeBSD 12.0 Dovecot 2.3.4

The following are examples from the dovecot log that are never caught by sshguard.

Dec 20 22:05:28 pop3-login: Info: Login failed: Plaintext authentication disabled: user=<>, rip=198.27.127.44, lip=192.168.0.101, session=<0bf0hH99pMHGG38s>
Dec 20 22:05:28 pop3-login: Info: Disconnected (auth failed, 1 attempts in 0 secs): user=<test2@seibercom.net>, rip=198.27.127.44, lip=192.168.0.101, session=<0bf0hH99pMHGG38s>
Dec 20 23:03:03 pop3-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=185.100.87.250, lip=192.168.0.101, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<QzrmUoB9SJi5ZFf6>
Dec 20 23:03:04 pop3-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=185.100.87.250, lip=192.168.0.101, TLS handshaking: Connection closed, session=<PZjuUoB9qJ+5ZFf6>
Dec 20 23:03:04 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.100.87.250, lip=192.168.0.101, TLS, session=<a075UoB9CqC5ZFf6>

I wrote my own script that catches these attempts, extracts the IPs and inserts them into IPFW. I feel that sshguard should be able to handle these though.

Comments (3)

  1. Kevin Zheng
    • changed status to open

    Agreed. Do you think it's better to match against the "Login failed" or "Disconnected..." messages? It looks like the former generates one of the latter, but there are more related to "no auth attempts," but "Disconnected" could also probably lead to some false positives.

  2. Darrin Smart

    In addition to the above: The log text has changed in recent Dovecot versions. “Aborted login” is now “Aborted login by logging out”. See https://github.com/dovecot/core/commit/de71b89e5481eb2b37b31dede50c884b309d884b

    On my system the entries now look like

      imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<david>, method=PLAIN, rip=10.1.2.3, lip=172.30.0.20, TLS, session=<dSomHo/ca+RUXHmr>
    

    Also, in my case “Info:” is replaced by “Disconnected” here. I’m not sure if it is actually replaced or is something else toggles the “Info:” prefix.

    I’m using Dovecot 2.3.18-4

  3. Log in to comment