On Fri 27/Feb/2015 10:28:12 +0100 Jan Ingvoldstad wrote: > > I hoped I could, by using e.g. less to view the debug log (debug level 1)
The debug log is useful for debugging, but lines get garbled if there are concurrent logins, and it's not quite machine-readable. > [DATE] [host] imapd: LOGIN FAILED, method=PLAIN, ip=[::ffff:192.168.0.1] > > That is, I hoped that the authdaemond entries would be buffered and put in the > log so that I could see which IP address tried to login as which user, but > failed. The last log line (quoted) is the regular --not debug-- log. At mine, it is piped through a parser which finds repeated attempts from the same IP and bans it accordingly. (Doing so is bound to require intervention when users change passwords or configure new clients.) Besides authentication failures, the parser looks for 513 Relaying denied, 517-Domain does not exist, 502 ESMTP command, and Maximum connection limit, so knowing the IP for authentication failures only wouldn't be enough to eliminate the parser. For distributed attacks, I log the attempted user/pw pair using authpipe as shown below. Not very useful, but may help getting an insight on what goes on. I get this from yesterday's log: Feb 26 06:17:48 north pipeauth[31330]: user: info pw: info not found Feb 26 08:06:57 north pipeauth[31070]: user: vesely pw: vesely not found Feb 26 08:07:00 north pipeauth[31341]: user: vesely pw: vesely123 not found No IP is passed by authdaemond, as you say, but what would it be useful for? The IP is known by authdaemond's clients who authenticate users. They don't pass an IP address to authdaemond in turn. It could be possible to gain that knowledge by examining /proc, as in netstat --program, but would it be worth? Ale -- ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
