Results 1 to 5 of 5
  1. #1

    "Failed to getpwnam for user" ?

    Okay, I have a question.

    In my daily logwatch email, I have a section like this:

    **Unmatched Entries**
    dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user bmw: 1 Time(s)
    dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user christopher: 1 Time(s)
    dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user contact: 1 Time(s)
    dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user copier: 1 Time(s)
    dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user daniel: 1 Time(s)
    dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user data: 1 Time(s)
    dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user david: 1 Time(s)
    dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user davis: 1 Time(s)
    dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user demo: 1 Time(s)

    My most recent logwatch had about 57 lines of this stuff.

    I also receive emails about brute force detections and blocks (using APF and BFD), like this:

    SOURCE ADDRESS: 91.236.75.92
    TARGET SERVICE: pure-ftpd
    FAILED LOGINS: 32
    EXECUTED COMMAND: /etc/apf/apf -d 91.236.75.92 {bfd.pure-ftpd}

    These generally specify that the target service is pure-ftpd.

    Should I be getting emails that BFD/APF are blocking IPs due to failed dovecot logins as well? Is there something more that I need to configure here?

  2. #2
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    Assuming you want to receive notices for all services, look in your .conf.bfd for this line and change it's value(s) if necessary. Below that should contain lines with other configurations if you want to change those.

    # send email alerts for all events [0 = off; 1 = on] EMAIL_ALERTS="1"
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  3. #3
    Email alerts for all events is already on.

    I guess I can assume from that that bfd isn't banning IPs based on failed dovecot logins? Is there a way to make it do so? Or should I use something else, like fail2ban?

  4. #4
    Okay... I found a rule file for dovecot under /usr/local/bfd/rules. "TRIG" in this was set to 50. I'm guessing that hackers know 50 is a common default, so they just do runs of 30 or so at a time. Hit and run.

    30 should get them banned now. And I'm not just banning them for 10 minutes as the default was. No, I'm afraid it'll be a while before they can talk to my server again. :-)

    Thanks for the help!
    Last edited by VPS Man; 01-14-2014 at 07:00 PM.

  5. #5
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    Good find.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

Similar Threads

  1. Attack: authdaemond: Failed to getpwnam for user
    By cyberh3x in forum Hosting Security and Technology
    Replies: 16
    Last Post: 06-29-2012, 10:54 AM
  2. How to disable "right-click" on desktop for Windows "Guest" user?
    By mrzippy in forum Computers and Peripherals
    Replies: 5
    Last Post: 08-07-2007, 03:48 PM
  3. Replies: 0
    Last Post: 10-01-2006, 11:27 AM
  4. My server crashed after "Failed password for invalid user john from ::ffff:XX.XX"
    By guarriman in forum Hosting Security and Technology
    Replies: 2
    Last Post: 10-14-2005, 06:34 AM
  5. Replies: 10
    Last Post: 06-30-2004, 11:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •