How to monitor brute force attacks on Dovecot with xymon

Recently I created a brute force alarming mechanism to detect login attempts into Dovecot. Since I use xymon for everyday work my solution is based on it.

First of all I needed to catch the trigger words. In /etc/rsyslog.d/50-default.conf I added this:

# dovecot
:programname, isequal, "dovecot" /var/log/dovecot.log

:msg, contains, "lmtp" /var/log/dovecot-lmtp.log
:msg, contains, "pop3" /var/log/dovecot-pop3.log
:msg, contains, "imap" /var/log/dovecot-imap.log
:msg, contains, "Logged out" /var/log/dovecot-logout.log
:msg, contains, "auth-worker" /var/log/auth-worker.log

After that I restarted rsyslog.

Make sure that the xymon/hobbit client user has permission to read /var/log/auth-worker.log. You may, for example, add the xymon user to the system group adm like this in /etc/group:



Check your dovecot version. Older versions may not log everything I describe here.

Preparing xymonserver

Next tell xymonserver in /etc/xymon/analysis.cfg to check Dovecot's log:

LOG /var/log/dovecot-aborted.log %failed COLOR=YELLOW

And in /etc/xymon/client-local.cfg configure the client as follows:

ignore mysql


Use the ignore line for lines which might create false posiitves


You need at least to have log.mail-log.server in your /etc/xymon/hosts.cfg

Then restart the xymonserver and the xymon client on log.mail-log.server.

A typical alarming line in the xymon gui from the log in xymonservers host msgs tab or in the alarm mail may look like this:

&yellow Jan 28 17:31:45 mail02 dovecot: pop3-login: Aborted login (auth
failed, 1 attempts): user=<backup>, method=PLAIN, rip=,
Robert Schetterer, 29 Jan 2013