Improve IP detection with Dovecot

Create issue
Issue #125 new
Gerard Seibert created an issue

The following is from my Dovecot log on a FreeBSD 11.3 machine.

Jan 23 09:43:04 imap-login: Info: Aborted login (no auth attempts in 1 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS, session=<MR6dqM+cDeVC8Ox3>
Jan 23 09:43:04 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS: SSL_read failed: error:140940F5:SSL routines:ssl3_read_bytes:unexpected record, session=<g2GiqM+cAOhC8Ox3>
Jan 23 09:43:09 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=</JzmqM+c4O1C8Ox3>
Jan 23 09:43:10 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS handshaking: SSL_accept() failed: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol, session=<wSP1qM+cQIFC8Ox3>
Jan 23 09:43:11 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS handshaking: SSL_accept() failed: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low, session=<YPQNqc+cRYNC8Ox3>
Jan 23 09:43:12 imap-login: Info: Disconnected (no auth attempts in 4 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS: read(size=583) failed: Connection reset by peer, session=<cREXqc+cn+xC8Ox3>
Jan 23 09:43:13 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<2bwlqc+cVIVC8Ox3>
Jan 23 09:43:15 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS, session=<0Q1Gqc+cOIdC8Ox3>
Jan 23 09:43:17 imap-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS, session=<lNJcqc+cM4lC8Ox3>
Jan 23 09:43:19 imap-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS, session=<nFt5qc+cM4tC8Ox3>
Jan 23 09:43:22 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS, session=<HeCzqc+cv45C8Ox3>
Jan 23 09:43:24 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=66.240.236.119, lip=192.168.0.101, TLS handshaking: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher, session=<6y7Qqc+cxZBC8Ox3>

I have created a simple bash script that parses the Dovecot log file and places IP’s into an IPFW table. I find it hard to believe that sshguard cannot do the same.

Comments (1)

  1. Log in to comment