Dovecot + Additional Loggin

[knuckles]

Hello,

Thank you very much for this product. We recommend it to all of our customers who request a powerful firewall that is simple to manage. I have two feature requests -- please correct me if they are already within the product.

1) Dovecot support. We typically set up our dedicated servers using Fedora or CentOS. We install PureFTP to be compliant with CSF, but we require Dovecot for POP/IMAP for a few reasons. Adding support for this would allow our dedicated servers to be completely covered by CSF.

2) The ability to change where CSF/LFD logging is output to. Our syslog is generally saturated with hits. Perhaps a few configure lines that would allow certain output to be output to different log files.

Thanks!

[chirpy]

csf and lfd don't log to syslog (only to /var/log/lfd.log). If you're referring to the kernel iptables logs, then that's controlled by your settings in /etc/syslog.conf and the kernel, not by csf.

[knuckles]

Chirpy,

Sorry for digging up an old thread. Thank you for your response. Are there any plans to add Dovecot to the services that LFD monitors? Dovecot is the only service that frequently gets dictionary attacked that LFD does not block. The failure line looks something like this by default on F7:

Aug 17 11:44:12 hostname dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:127.0.0.1
Aug 17 11:44:12 hostname dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user sfdfsdf

[chirpy]

Thanks for those. I'll look at adding support for dovecot on the development list.

[ajkessel]

dovecot/IMAP attacks are the most common unchecked brute force attacks we get. I would greatly appreciate a csf rule to block them. Thanks!

[chirpy]

It will appear in csf v2.92 when it's released in the near future.

[ajkessel]

It appears csf just checks /var/log/messages for dovecot aborted IMAP/POP messages; however, my dovecot logs to /var/log/imap.log. I think with others it logs to /var/log/mail.log. Can the correct log file be configured?

[ajkessel]

Actually, on closer inspection, it looks like the source code *does* use whatever log file is specified for IMAP and POP daemon -- it is just the changelog entry that says /var/log/messages.

[ajkessel]

I'm still getting a lot of dovecot attacks with the latest csf. I don't think it is recognizing all the various types of attacks.

E.g. -- these are in dovecot's log file:

dovecot: 2007-12-06 20:48:40 Info: pop3-login: Aborted login: rip=24.97.230.106, lip=72.1.169.236
dovecot: 2007-12-06 20:48:41 Info: pop3-login: Aborted login: user=<trace>, method=PLAIN, rip=24.97.230.106, lip=72.1.169.236
dovecot: 2007-12-06 20:48:42 Info: pop3-login: Aborted login: user=<webmaster>, method=PLAIN, rip=24.97.230.106, lip=72.1.169

these are in auth.log:

Dec 6 20:49:02 bostoncoop dovecot-auth: (pam_unix) check pass; user unknown
Dec 6 20:49:02 bostoncoop dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=24
.97.230.106
Dec 6 20:49:06 bostoncoop dovecot-auth: (pam_unix) check pass; user unknown
Dec 6 20:49:06 bostoncoop dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=24
.97.230.106