Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

dovecot.log

https://forum.vestacp.com/viewtopic.php?f=12&t=10321

Page 1 of 1

dovecot.log

Posted: Sun Jan 17, 2016 4:14 pm
by pandabb
Hello i checked my dovecot log and to my surprise there are too many random login attempts, like more than 150+ with different usernames, is my system compromised or this is normal? can fail2ban ban the ip's below autpmatically.

Thanks!
an 18 00:09:45 auth: Error: passwd-file(laura,193.189.117.155): stat(/etc/exim/domains//passwd) failed: No such file or directory
Jan 18 00:10:13 auth: Error: passwd-file(master,193.189.117.148): stat(/etc/exim/domains//passwd) failed: No such file or directory
Jan 18 00:13:47 auth: Error: passwd-file(melissa,193.189.117.148): stat(/etc/exim/domains//passwd) failed: No such file or directory
Jan 18 00:13:51 auth: Error: passwd-file(library,193.189.117.155): stat(/etc/exim/domains//passwd) failed: No such file or directory

Re: dovecot.log

Posted: Mon Jan 18, 2016 10:20 pm
by BBuchanan1013
pandabb wrote:Hello i checked my dovecot log and to my surprise there are too many random login attempts, like more than 150+ with different usernames, is my system compromised or this is normal? can fail2ban ban the ip's below autpmatically.

Thanks!
an 18 00:09:45 auth: Error: passwd-file(laura,193.189.117.155): stat(/etc/exim/domains//passwd) failed: No such file or directory
Jan 18 00:10:13 auth: Error: passwd-file(master,193.189.117.148): stat(/etc/exim/domains//passwd) failed: No such file or directory
Jan 18 00:13:47 auth: Error: passwd-file(melissa,193.189.117.148): stat(/etc/exim/domains//passwd) failed: No such file or directory
Jan 18 00:13:51 auth: Error: passwd-file(library,193.189.117.155): stat(/etc/exim/domains//passwd) failed: No such file or directory
If you think your system is compromised, then make sure you have a backup then just re-install everything. Though, if it were me, it actually looks like someone's attempting to make entry. Best bet is to add the ip to the firewall/fail2ban yourself and block it's access. I'm no expert, but it just looks like random attempts to gain access to your mail server and execute/view the passwd file (the one that has all users and passwords listed in it for the system, not for vesta specifically).

Re: dovecot.log

Posted: Tue Jan 19, 2016 1:42 am
by pandabb
thanks for the tip sir.

Does this mean bot is trying to login via domainname.com/webmail?

Is there anyway to change the alias /webmail or add some sort of .htaccess password to prevent bot from crawling it.

Re: dovecot.log

Posted: Tue Jan 19, 2016 5:45 am
by pandabb
Thanks for the help.

I decided just to remove my mail server since i really don't need it plus it takes so much ram if put it all together antiv etc.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/