I've been having an interesting (to me) problem. I'm getting auth.log
entries like this:
May 2 14:02:15 server dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=be rhost=
every 10 minutes. Note the empty rhost= data. 'be' was a username -- I
got him to change it yesterday. Now I'm getting the same log entries
with the both names.
Is it possible to send an IP packet with no 'source IP address'? If so,
is pam just losing it somehow?
I get other similar entries, occasionally, like:
May 2 11:35:46 server dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=tester@209 rhost=62.76.45.134
And some much more frequently, still with no rhost= info:
May 2 00:32:10 server dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=anonymous rhost=
I've asked on several lists, googled, and read books. I can't figure out
what's going on. I thought the lack of rhost= indicated one of my monit
monitors. So I turned them all off, and the entries came right in.
I know there's massive IP experience on this list. security-basics
couldn't explain this, nor could SDLU. Can one (or more) of you help me
understand?
TIA...
--
Glenn English