store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Tue May 21, 2013 6:19 am

View unanswered posts | View active topics


Board index » Customer Support Forums » Atomic Secured Linux Support

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic Share/Bookmark  Page 1 of 3
  [ 37 posts ]  Go to page 1, 2, 3  Next
  Print view Previous topic | First unread post | Next topic 
Author Message
BruceLee
 Post subject: block many checkmailpasswd attempts?
Unread postPosted: Wed Mar 03, 2010 3:54 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 802
Location: Germany
I'm getting quite a few of these in the maillog:

Quote:
...
Mar 3 20:39:18 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar 3 20:39:19 www pop3d: Connection, ip=[75.110.237.4]
Mar 3 20:39:20 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amy - short names not allowed from @ [75.110.237.4]DEBUG: Connection, ip=[75.110.237.4]
Mar 3 20:39:21 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: andrea - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar 3 20:39:22 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar 3 20:39:24 www pop3d: LOGIN FAILED, ip=[75.110.237.4]
...


I put the IP in the blacklist for now. Any good way to auto-detect and block this?
Thanks
Top
 Profile  
 
scott
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Wed Mar 03, 2010 4:16 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7420
Location: earth
Yeah if you can get say 5 or 10 of those alerts and put them here we can see about coming up with a ruleset for it.
Top
 Profile  
 
BruceLee
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Wed Mar 03, 2010 4:48 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 802
Location: Germany
I'm not sure if I got it right.
Here are some more:
Thanks. If not, just punch me :)

Code:
Mar  3 20:38:11 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:38:12 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: america - short names not allowed from @ [75.110.237.4]DEBUG: Connection, ip=[75.110.237.4]
Mar  3 20:38:15 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amy - short names not allowed from @ [75.110.237.4]DEBUG: Connection, ip=[75.110.237.4]
Mar  3 20:38:16 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amelia - short names not allowed from @ [75.110.237.4]DEBUG: Connection, ip=[75.110.237.4]
Mar  3 20:38:16 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amorphic - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:16 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:17 www pop3d: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:17 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:17 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:38:19 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amy - short names not allowed from @ [75.110.237.4]DEBUG: Connection, ip=[75.110.237.4]
Mar  3 20:38:20 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amanda - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:20 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:21 www pop3d: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:21 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:23 www pop3d: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:23 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:24 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:38:25 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amelia - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:25 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:29 www pop3d: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:29 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:29 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:38:35 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amelia - short names not allowed from @ [75.110.237.4]DEBUG: Connection, ip=[75.110.237.4]
Mar  3 20:38:35 www pop3d: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:35 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:40 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amorphic - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:40 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:40 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:38:45 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amorphic - short names not allowed from @ [75.110.237.4]DEBUG: Connection, ip=[75.110.237.4]
Mar  3 20:38:46 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amelia - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:46 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:47 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:38:51 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: america - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:51 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:51 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:38:52 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amelia - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:52 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:38:55 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:38:56 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amanda - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:38:57 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:39:00 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:39:01 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amelia - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:39:01 www pop3d: LOGOUT, ip=[75.110.237.4]Mar  3 20:39:04 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:39:04 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amy - short names not allowed from @ [75.110.237.4]DEBUG: Connection, ip=[75.110.237.4]
Mar  3 20:39:05 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: anderson - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:39:05 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:39:06 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:39:09 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: andrea - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:39:09 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:39:10 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:39:10 www pop3d: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:39:10 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:39:10 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:39:11 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: andre - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:39:11 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:39:16 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amy - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:39:16 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:39:16 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:39:18 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: andre - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:39:18 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:39:19 www pop3d: Connection, ip=[75.110.237.4]
Mar  3 20:39:20 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: amy - short names not allowed from @ [75.110.237.4]DEBUG: Connection, ip=[75.110.237.4]
Mar  3 20:39:21 www pop3d: IMAP connect from @ [75.110.237.4]checkmailpasswd: FAILED: andrea - short names not allowed from @ [75.110.237.4]ERR: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:39:22 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:39:24 www pop3d: LOGIN FAILED, ip=[75.110.237.4]
Mar  3 20:39:24 www pop3d: LOGOUT, ip=[75.110.237.4]
Mar  3 20:39:26 www pop3d: LOGIN FAILED, ip=[75.110.237.4]
Top
 Profile  
 
mikeshinn
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Wed Mar 03, 2010 8:54 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3243
Location: Chantilly, VA
Awesome, this is great data. And if anyone else has a weird, suspicious, etc. event - please open a thread and do the same. We can create rules to look for these and to trigger at a certain #, type, etc. of events and block the baddies. So the more info the merrier.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.

Top
 Profile  
 
BruceLee
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Thu Mar 04, 2010 4:00 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 802
Location: Germany
GREAT! Thanks a lot!
Top
 Profile  
 
faris
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Thu Mar 04, 2010 8:26 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 1846
Err.. well, you only need to look for

Code:
checkmailpasswd: FAILED:


to detect failed email logins in qmail.

Now single email login errors are common. In some cases you may get the same user logging in with the wrong password over and over again (e.g. every 5 mins, because they have incorrectly configured a local mailserver) and we don't want to block them.

What we need is a rate limit - e.g. >5 incorrect logins in 30 seconds (configurable) before an IP is blocked or we'll have all sorts of trouble on our hands, and ideally a dictionary attack detector (same IP, X different usernames, all failed) - again X should be configurable.

I thought BFD could do some of this out of the box anyway. It just needs its rules tweeked for plesk's qmail I think.

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>

Top
 Profile  
 
scott
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Thu Mar 04, 2010 11:54 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7420
Location: earth
OSSEC can do it much much faster than bfd can, so there is really no need for it these days. It already has decoders for courier imap by default, it just turns out that plesk 9 uses a different format. So we either need to push a decoder update (this requires an update to ossec) or perhaps a rule update. Still exploring the latter, which would just be a regularly daily update via ASL.
Top
 Profile  
 
Kalimari
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Mon Mar 15, 2010 2:55 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 515
Location: United Kingdom
Hi,
Got a bunch of failed logins/checkmailpasswd entries for you.

The first example is interesting due to the slow approach to mailbox cracking (normally use fail2ban to stop this kind of stuff, but switched it off for a few days and closely monitored the situation to get a good set of data - this is pretty constant otherwise):

Code:
/usr/local/psa/var/log/maillog:Mar 15 04:13:51 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.210]ERR: LOGIN FAILED, ip=[82.132.139.210]
/usr/local/psa/var/log/maillog:Mar 15 04:44:59 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 15 05:16:10 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.78]ERR: LOGIN FAILED, ip=[82.132.248.78]
/usr/local/psa/var/log/maillog:Mar 15 05:47:19 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 15 06:00:58 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.157]ERR: LOGIN FAILED, ip=[82.132.139.157]
/usr/local/psa/var/log/maillog:Mar 15 06:09:10 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.29]ERR: LOGIN FAILED, ip=[82.132.139.29]
/usr/local/psa/var/log/maillog:Mar 15 06:25:39 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.157]ERR: LOGIN FAILED, ip=[82.132.139.157]
/usr/local/psa/var/log/maillog:Mar 15 06:51:04 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 07:20:42 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 07:50:54 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.40]ERR: LOGIN FAILED, ip=[82.132.248.40]
/usr/local/psa/var/log/maillog:Mar 15 08:11:50 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 08:56:19 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 09:18:01 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.19]ERR: LOGIN FAILED, ip=[82.132.139.19]
/usr/local/psa/var/log/maillog:Mar 15 09:59:37 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 10:30:21 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 10:51:00 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 10:57:12 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 11:17:27 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 11:39:48 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 12:15:15 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 12:25:39 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 12:46:29 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.19]ERR: LOGIN FAILED, ip=[82.132.139.19]
/usr/local/psa/var/log/maillog:Mar 15 13:16:42 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 13:58:33 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 14:29:18 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.19]ERR: LOGIN FAILED, ip=[82.132.139.19]
/usr/local/psa/var/log/maillog:Mar 15 14:54:28 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 15:40:54 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 16:01:39 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 16:26:59 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 16:56:52 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 17:01:05 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 17:24:22 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 15 17:51:15 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.72]ERR: LOGIN FAILED, ip=[82.132.139.72]
/usr/local/psa/var/log/maillog:Mar 14 04:06:55 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.69]ERR: LOGIN FAILED, ip=[82.132.139.69]
/usr/local/psa/var/log/maillog:Mar 14 04:38:00 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.69]ERR: LOGIN FAILED, ip=[82.132.139.69]
/usr/local/psa/var/log/maillog:Mar 14 05:08:14 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.27]ERR: LOGIN FAILED, ip=[82.132.248.27]
/usr/local/psa/var/log/maillog:Mar 14 05:38:29 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.69]ERR: LOGIN FAILED, ip=[82.132.139.69]
/usr/local/psa/var/log/maillog:Mar 14 06:01:09 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.69]ERR: LOGIN FAILED, ip=[82.132.139.69]
/usr/local/psa/var/log/maillog:Mar 14 06:25:39 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.69]ERR: LOGIN FAILED, ip=[82.132.139.69]
/usr/local/psa/var/log/maillog:Mar 14 06:56:49 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.26]ERR: LOGIN FAILED, ip=[82.132.248.26]
/usr/local/psa/var/log/maillog:Mar 14 07:19:43 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.69]ERR: LOGIN FAILED, ip=[82.132.139.69]
/usr/local/psa/var/log/maillog:Mar 14 07:42:45 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.69]ERR: LOGIN FAILED, ip=[82.132.139.69]
/usr/local/psa/var/log/maillog:Mar 14 08:07:31 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.19]ERR: LOGIN FAILED, ip=[82.132.139.19]
/usr/local/psa/var/log/maillog:Mar 14 08:19:41 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.37]ERR: LOGIN FAILED, ip=[82.132.248.37]
/usr/local/psa/var/log/maillog:Mar 14 08:43:50 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.200]ERR: LOGIN FAILED, ip=[82.132.139.200]
/usr/local/psa/var/log/maillog:Mar 14 09:07:24 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.19]ERR: LOGIN FAILED, ip=[82.132.139.19]
/usr/local/psa/var/log/maillog:Mar 14 09:33:09 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.19]ERR: LOGIN FAILED, ip=[82.132.139.19]
/usr/local/psa/var/log/maillog:Mar 14 09:55:01 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.19]ERR: LOGIN FAILED, ip=[82.132.139.19]
/usr/local/psa/var/log/maillog:Mar 14 10:40:21 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 10:55:20 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 11:22:06 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 11:52:19 [SERVER_NAME] pop3d-ssl: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 12:19:18 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.210]ERR: LOGIN FAILED, ip=[82.132.139.210]
/usr/local/psa/var/log/maillog:Mar 14 12:25:40 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.139.157]ERR: LOGIN FAILED, ip=[82.132.139.157]
/usr/local/psa/var/log/maillog:Mar 14 12:49:25 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.136.208]ERR: LOGIN FAILED, ip=[82.132.136.208]
/usr/local/psa/var/log/maillog:Mar 14 13:16:49 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 13:46:14 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 14:14:42 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 14:15:36 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 14:26:02 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 14:35:46 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 14:58:53 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 15:05:50 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 15:35:59 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 16:00:49 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 17:00:48 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 17:21:05 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 17:52:22 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 18:22:10 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 18:25:41 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]
/usr/local/psa/var/log/maillog:Mar 14 18:47:35 [SERVER_NAME] pop3d-ssl: IMAP connect from @ [82.132.248.80]ERR: LOGIN FAILED, ip=[82.132.248.80]

Should mention: have checked with clients and these are not unwitting attempts to collect mail using incorrect logon.

Then there is this second type, coming in bursts 2-10 times a day, trying between 10-50 slightly different user names each time:

Code:
/usr/local/psa/var/log/maillog:Mar 14 19:10:55 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: staff - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:01 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: sales - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:06 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: recruit - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:12 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: alias - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:17 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: office - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:23 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: samba - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:28 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: tomcat - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:33 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: webadmin - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:39 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: spam - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:44 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: virus - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:49 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: cyrus - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:11:55 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: oracle - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:00 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: michael - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:05 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: ftp - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:11 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: test - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:16 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: webmaster - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:21 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: postmaster - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:27 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: postfix - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:32 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: postgres - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:38 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: paul - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:43 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: root - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:48 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: guest - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:54 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: admin - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:12:59 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: linux - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:13:04 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: user - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:13:10 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: david - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:13:15 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: web - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:13:21 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: apache - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]
/usr/local/psa/var/log/maillog:Mar 14 19:13:26 [SERVER_NAME] pop3d: IMAP connect from @ [88.35.244.226]checkmailpasswd: FAILED: pgsql - short names not allowed from @ [88.35.244.226]ERR: LOGIN FAILED, ip=[88.35.244.226]


Hope it proves useful
Top
 Profile  
 
mikeshinn
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Mon Mar 15, 2010 3:39 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3243
Location: Chantilly, VA
Quote:
Hope it proves useful


Most definitely!

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.

Top
 Profile  
 
scott
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Mon Mar 15, 2010 4:32 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7420
Location: earth
This is in ASL 2.2.5 and OSSEC 2.4 (note both are required)
Top
 Profile  
 
aus-city
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Tue Mar 16, 2010 7:14 pm 
Offline
Forum Regular
Forum Regular

Joined: Thu Oct 26, 2006 11:56 pm
Posts: 665
Here is a bunch from postfix. They have a wonderful dictionary :)

Mar 14 15:18:54 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:19:00 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: admin - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:19:30 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: test - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:19:36 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:19:46 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: ghost - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:20:05 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:20:12 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:20:18 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: guest - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:20:25 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: ghost - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:20:33 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: magnos - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:20:39 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:20:45 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:20:52 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: aaron - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:21:02 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: jun - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:21:12 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: rebecca - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:21:21 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: einstein - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:21:28 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: anna - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:21:35 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: sara - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:21:45 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:22:05 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: magnos - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:22:11 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:22:18 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: amy - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:22:24 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: amy - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:22:34 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:10 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:16 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: tracy - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:23 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:33 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: controller - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:39 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:10 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:16 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: tracy - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:23 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:33 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: controller - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:39 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:46 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: emily - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:23:56 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:24:04 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: backuppc - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:24:11 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: backuppc - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:24:18 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: avahi - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:24:27 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:24:33 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:24:45 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:24:56 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:25:02 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: amavisd - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:25:18 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: edu - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:25:30 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: edu - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:25:52 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:25:58 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:26:08 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:26:14 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: token - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:26:24 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: security - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:26:31 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:27:00 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:27:07 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: edu - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:27:14 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:27:21 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:27:27 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: webmaster - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:27:36 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: mysql - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:27:42 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:27:52 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: a - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:27:59 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: kon - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:28:05 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:28:11 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: qtss - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:28:23 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:28:29 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: oracle - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:28:37 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:28:43 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: test - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:28:49 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:28:56 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:29:24 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:29:33 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: oracle - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:29:39 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: library - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:29:46 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: info - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:29:52 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: linux - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:29:59 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: amanda - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:30:14 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: amanda - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:30:20 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: anita - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:30:30 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: anita - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:30:40 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: anita - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:30:55 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: ftp - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:31:02 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:31:08 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:31:14 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:31:27 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:31:50 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: ming - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:31:59 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: ming - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:32:27 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: student - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:32:33 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: student - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:32:50 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: netdump - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:32:59 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: netdump - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:33:24 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: accounts - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:33:33 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: accounts - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:33:43 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: internet - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:33:49 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: internet - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:33:55 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: judy - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:34:02 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: judy - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]

Mar 14 15:34:12 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: sam - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:34:19 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: sam - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:34:32 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: eddy - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:34:50 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: mike - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:34:59 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: java - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:35:15 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: java - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:35:22 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: webs - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:35:31 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:35:38 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: webadmin - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:35:44 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: ftp - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:35:52 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: test - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:36:01 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:36:07 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: admin - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:36:16 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: guest - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:36:23 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: master - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:36:29 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: apache - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:36:35 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:36:43 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:36:59 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:37:12 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:37:18 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:37:26 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: admin - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:37:38 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: admin - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:37:45 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: admin - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:37:51 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: admin - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:38:03 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:38:19 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:38:33 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: test - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:39:06 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: webmaster - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:39:18 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: user - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:39:28 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:39:35 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: username - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:40:52 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: root - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:40:59 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: danny - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:41:08 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: sharon - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:44:42 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: backup - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:44:48 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: oracle - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:44:57 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: web - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:45:07 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: www - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:45:14 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: wwwrun - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:45:23 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: adam - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:45:30 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: stephen - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:46:24 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: richard - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:46:31 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: george - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:46:40 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: michael - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:46:55 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: john - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:47:05 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: david - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:47:15 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: paul - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:47:25 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: news - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]
Mar 14 15:47:40 server pop3d: IMAP connect from @ [218.242.136.114]checkmailpasswd: FAILED: angel - short names not allowed from @ [218.242.136.114]ERR: LOGIN FAILED, ip=[218.242.136.114]



Mar 17 06:54:15 server pop3d: IMAP connect from @ [66.122.195.143]checkmailpasswd: FAILED: 1111 - short names not allowed from @ [66.122.195.143]ERR: LOGIN FAILED, ip=[66.122.195.143]
Mar 17 06:54:21 server pop3d: IMAP connect from @ [66.122.195.143]checkmailpasswd: FAILED: 123456 - short names not allowed from @ [66.122.195.143]ERR: LOGIN FAILED, ip=[66.122.195.143]
Mar 17 06:54:27 server pop3d: IMAP connect from @ [66.122.195.143]checkmailpasswd: FAILED: 1prueba - short names not allowed from @ [66.122.195.143]ERR: LOGIN FAILED, ip=[66.122.195.143]
Mar 17 06:54:36 server pop3d: IMAP connect from @ [66.122.195.143]checkmailpasswd: FAILED: 1prueva - short names not allowed from @ [66.122.195.143]ERR: LOGIN FAILED, ip=[66.122.195.143]
Mar 17 06:54:43 server pop3d: IMAP connect from @ [66.122.195.143]checkmailpasswd: FAILED: 2pac - short names not allowed from @ [66.122.195.143]ERR: LOGIN FAILED, ip=[66.122.195.143]
Mar 17 06:54:48 server pop3d: IMAP connect from @ [66.122.195.143]checkmailpasswd: FAILED: 3lectric - short names not allowed from @ [66.122.195.143]ERR: LOGIN FAILED, ip=[66.122.195.143]
Mar 17 06:54:54 server pop3d: IMAP connect from @ [66.122.195.143]checkmailpasswd: FAILED: 4l3x - short names not allowed from @ [66.122.195.143]ERR: LOGIN FAILED, ip=[66.122.195.143]
Mar 17 06:55:00 server pop3d: IMAP connect from @ [66.122.195.143]checkmailpasswd: FAILED: 50cent - short names not allowed from @ [66.122.195.143]ERR: LOGIN FAILED, ip=[66.122.195.143]
Top
 Profile  
 
Kalimari
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Mon Dec 06, 2010 12:51 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 515
Location: United Kingdom
Realise its been a bit of a delay, but noticed a resurgence in failed password access in /usr/local/psa/var/log/maillog:

Code:
Dec  6 16:44:59 pop3d: IMAP connect from @ [204.188.237.11]checkmailpasswd: FAILED: access - short names not allowed from @ [204.188.237.11]ERR: LOGIN FAILED, ip=[204.188.237.11]
Dec  6 16:47:00 pop3d: IMAP connect from @ [204.188.237.11]checkmailpasswd: FAILED: pwrchute - short names not allowed from @ [204.188.237.11]DEBUG: Connection, ip=[204.188.237.11]
Dec  6 16:47:00 pop3d: Connection, ip=[204.188.237.11]
Dec  6 16:47:00 pop3d: IMAP connect from @ [204.188.237.11]checkmailpasswd: FAILED: pwrchute - short names not allowed from @ [204.188.237.11]ERR: LOGIN FAILED, ip=[204.188.237.11]
Dec  6 16:47:01 pop3d: IMAP connect from @ [204.188.237.11]checkmailpasswd: FAILED: pwrchute - short names not allowed from @ [204.188.237.11]INFO: LOGOUT, ip=[204.188.237.11]
Dec  6 16:47:01 pop3d: Connection, ip=[204.188.237.11]
Dec  6 16:47:05 pop3d: IMAP connect from @ [204.188.237.11]checkmailpasswd: FAILED: access - short names not allowed from @ [204.188.237.11]ERR: LOGIN FAILED, ip=[204.188.237.11]
Dec  6 16:47:05 pop3d: LOGOUT, ip=[204.188.237.11]
Dec  6 16:47:05 pop3d: LOGIN FAILED, ip=[204.188.237.11]
Dec  6 16:47:05 pop3d: Connection, ip=[204.188.237.11]
Dec  6 16:47:06 pop3d: LOGOUT, ip=[204.188.237.11]
Dec  6 16:47:06 pop3d: LOGIN FAILED, ip=[204.188.237.11]
Dec  6 16:47:06 pop3d: IMAP connect from @ [204.188.237.11]checkmailpasswd: FAILED: pwrchute - short names not allowed from @ [204.188.237.11]INFO: LOGOUT, ip=[204.188.237.11]
Dec  6 16:47:06 pop3d: Connection, ip=[204.188.237.11]


All afternoon... Haven't seen these in while, thought ossec was successfully blocking them...

Not sure if the rule shave changed and no longer catch it, or if anyone else sees same issue?

Thanks.
Top
 Profile  
 
scott
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Mon Dec 06, 2010 1:00 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7420
Location: earth
Yeah theres a rule on that, #60903 (failed login) and #60910 which is a threshold event, 10 failures in 60 seconds from the same IP.
Top
 Profile  
 
Kalimari
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Mon Apr 18, 2011 3:39 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 515
Location: United Kingdom
scott wrote:
Yeah theres a rule on that, #60903 (failed login) and #60910 which is a threshold event, 10 failures in 60 seconds from the same IP.


Hi Scott, have a lot of ongoing checkmailpasswd: FAILED entries in /usr/local/psa/var/log/maillog and rule 60903 does not seem to be blocking them (here's a small sample within threshold).

Code:
Apr 18 20:11:46 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: shop - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:11:46 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:11:51 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: shop - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:11:51 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:11:56 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: shop - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:11:57 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:12:02 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:12:02 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:12:07 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:12:07 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:12:12 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:12:12 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:12:17 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:12:18 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:12:23 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:12:23 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:12:28 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:12:28 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:12:33 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:12:33 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:12:38 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:12:38 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]
Apr 18 20:12:44 SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN
Apr 18 20:12:44 SERVER_NAME pop3d: Connection, ip=[IP.REMOVED]


ASL GUI displays them as level 5 activity, but no blocking occurs...

Code:
18Apr 20:15:16   5   3902      SERVER_NAME pop3d: IMAP connect from @ [IP.REMOVED]checkmailpasswd: FAILED: sys - short names not allowed from @ [IP.REMOVED]ERR: LOGIN FAILED, ip=[IP.REMOVED]


They will never get in with these lame attempts, but it fills up the mail log as there are thousands a day.
Thought they may being making attempts j-u-s-t slow enough to not trigger, so reduced the threshold to test, they stopped appearing in the log, but there is no blocking/blacklist notification for the IP. Are these now blocked? If so whats the best way to customise the rule to make it stick across ossec rule updates?

Thanks
Top
 Profile  
 
scott
 Post subject: Re: block many checkmailpasswd attempts?
Unread postPosted: Mon Apr 18, 2011 4:33 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7420
Location: earth
What threshold did you end up going with on that one? If it blocks it should log it in /var/ossec/logs/active-responses.log

In 2.2 you'd need to make a separate rule file and then manually update that in the ossec.conf. In 3.0 there is now a rules.d directory that works just like the apache conf.d system. Anything dropped in there gets referenced last, so it can override any rule that comes before it.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic Share/Bookmark  Page 1 of 3
  [ 37 posts ]  Go to page 1, 2, 3  Next

Board index » Customer Support Forums » Atomic Secured Linux Support

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 6 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group