How to monitor brute force attacks on Dovecot with xymon

Abstract

Recently I created a brute force alarming mechanism to detect login attempts into Dovecot. Since I use xymon for everyday work my solution is based on it.

Recently I created a brute force alarming mechanism to detect login attempts into Dovecot. Since I use xymon for everyday work my solution is based on it.

First of all I needed to catch the trigger words. In /etc/rsyslog.d/50-default.conf I added this:

...
# dovecot
:programname, isequal, "dovecot" /var/log/dovecot.log

#lmtp
:msg, contains, "lmtp" /var/log/dovecot-lmtp.log
#pop3
:msg, contains, "pop3" /var/log/dovecot-pop3.log
#imap
:msg, contains, "imap" /var/log/dovecot-imap.log
#logout
:msg, contains, "Logged out" /var/log/dovecot-logout.log
#auth-worker
:msg, contains, "auth-worker" /var/log/auth-worker.log
...

After that I restarted rsyslog.

Make sure that the xymon/hobbit client user has permission to read /var/log/auth-worker.log. You may, for example, add the xymon user to the system group adm like this in /etc/group:

...
adm:x:4:hobbit
...

Caution!

Check your dovecot version. Older versions may not log everything I describe here.

Preparing xymonserver

Next tell xymonserver in /etc/xymon/analysis.cfg to check Dovecot's log:

HOST=log.mail-log.server
...
LOG /var/log/dovecot-aborted.log %failed COLOR=YELLOW
...

And in /etc/xymon/client-local.cfg configure the client as follows:

...
[log.mail-log.server]
...
log:/var/log/auth-worker.log:20480
ignore mysql
...

Tip

Use the ignore line for lines which might create false posiitves

Caution!

You need at least to have log.mail-log.server in your /etc/xymon/hosts.cfg

Then restart the xymonserver and the xymon client on log.mail-log.server.

A typical alarming line in the xymon gui from the log in xymonservers host msgs tab or in the alarm mail may look like this:

&yellow Jan 28 17:31:45 mail02 dovecot: pop3-login: Aborted login (auth
failed, 1 attempts): user=<backup>, method=PLAIN, rip=1.1.1.1,
lip=2.2.2.2
Robert Schetterer, 29. January 2013