different version of squirrelmail - different behavior when log-in with wrong username/password

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

different version of squirrelmail - different behavior when log-in with wrong username/password

Miroslav Geisselreiter
Hi all,

I use squirrelmail-1.4.8-21.el5.centos, plugin
squirrel_logger-2.3.1-1.2.7, sendmail-8.13.8-10.el5_11,
dovecot-1.0.7-9.el5_11.4, php-5.1.6-45.el5_11,
httpd-2.2.3-91.el5.centos, fail2ban-0.8.14-1.el5, CentOS 5 with kernel
2.6.18-406.el5.
When I try login to squirrelmail with bad user or bad password, I get
message: Unknown user or password incorrect. squirrel-plugin write about
that to logfile and fail2ban read that bad attempts and do its work (I
want to use fail2ban for blocking attacks).

New servers:
CentOS 6: squirrelmail-1.4.22-4.el6.noarch, plugin
squirrel_logger-2.3.1-1.2.7, sendmail-8.14.4-9.el6.x86_64,
dovecot-2.0.9-19.el6.1.x86_64, php-5.3.3-46.el6_6.x86_64,
httpd-2.2.15-47.el6.centos.x86_64, fail2ban-0.9.2-1.el6.noarch, kernel
2.6.32-504.16.2.el6.x86_64.
CentOS 7: squirrelmail-1.4.22-15.el7.noarch, plugin
squirrel_logger-2.3.1-1.2.7, postfix-2.10.1-6.el7.x86_64,
dovecot-2.2.10-4.el7_0.1.x86_64, php-5.4.16-36.el7_1.x86_64,
httpd-2.4.6-31.el7.centos.1.x86_64, fail2ban-0.9.2-1.el7.noarch, kernel
3.10.0-229.11.1.el7.x86_64.

When I try login to squirrelmail with bad user or bad password, I get
another message: ERROR: Connection dropped by IMAP server.
squirrel-plugin do nothing.

Here are logs:
CentOS 5:
/var/log/secure
Sep  9 09:18:16 pink dovecot-auth: pam_krb5[30187]: error resolving user
name 'pokusak' to uid/gid pair
Sep  9 09:18:16 pink dovecot-auth: pam_krb5[30187]: error getting
information about 'pokusak'
Sep  9 09:18:16 pink dovecot-auth: pam_unix(dovecot:auth): check pass;
user unknown
Sep  9 09:18:16 pink dovecot-auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
rhost=::ffff:127.0.0.1
Sep  9 09:18:16 pink dovecot-auth: pam_krb5[30187]: error resolving user
name 'pokusak' to uid/gid pair
Sep  9 09:18:16 pink dovecot-auth: pam_krb5[30187]: error getting
information about 'pokusak'
Sep  9 09:18:16 pink dovecot-auth: pam_succeed_if(dovecot:auth): error
retrieving information about user pokusak
/var/log/maillog
Sep  9 09:18:19 pink dovecot: imap-login: Aborted login: user=<pokusak>,
method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, TLS

CentOS 6:
/var/log/secure
Sep  9 09:24:22 purple auth: pam_krb5[20083]: error resolving user name
'pokusak' to uid/gid pair
Sep  9 09:24:22 purple auth: pam_krb5[20083]: error getting information
about 'pokusak'
Sep  9 09:24:22 purple auth: pam_unix(dovecot:auth): check pass; user
unknown
Sep  9 09:24:22 purple auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=pokusak
rhost=192.168.140.245
Sep  9 09:24:22 purple auth: pam_succeed_if(dovecot:auth): error
retrieving information about user pokusak
/var/log/maillog
Sep  9 09:24:26 purple dovecot: imap-login: Aborted login (auth failed,
1 attempts): user=<pokusak>, method=PLAIN, rip=192.168.140.245,
lip=192.168.140.245, TLS

I need the same behavior as CentOS 5: Get correct message about Unknown
user or password incorrect (or make squirrel-plugin write something to
log). I want to use fail2ban for blocking attacks with new servers with
CentOS 6 and CentOS 7.

I googled a lot but find no answers to my problem.

Any help will be appreciated.

--
Miroslav Geisselreiter
IT administrator


------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: different version of squirrelmail - different behavior when log-in with wrong username/password

David C. Rankin
On 09/09/2015 02:50 AM, Miroslav Geisselreiter wrote:

> dovecot-1.0.7-9.el5_11.4, php-5.1.6-45.el5_11,
> httpd-2.2.3-91.el5.centos, fail2ban-0.8.14-1.el5, CentOS 5 with kernel
> 2.6.18-406.el5.
> When I try login to squirrelmail with bad user or bad password, I get
> message: Unknown user or password incorrect. squirrel-plugin write about
> that to logfile and fail2ban read that bad attempts and do its work (I
> want to use fail2ban for blocking attacks).
>
> New servers:
> CentOS 6: squirrelmail-1.4.22-4.el6.noarch, plugin
> squirrel_logger-2.3.1-1.2.7, sendmail-8.14.4-9.el6.x86_64,
> dovecot-2.0.9-19.el6.1.x86_64, php-5.3.3-46.el6_6.x86_64,

Miroslav,

   It looks like the primary difference is:

dovecot-1.0.7-9.el5_11.4
<snip>

New servers:
CentOS 6:
<snip>
dovecot-2.0.9-19.el6.1.x86_64

   If I understand that the problem you have is the difference in reporting a
bad username between Centos 5 & 6, the most likely culprit is the difference in
the way dovecot itself responds between versions 1 & 2.

   I don't have a dovecot 1 box to test, but I would check the dovecot
documentation to see if that is the source of the reporting difference. fail2ban
itself should be capable of working with either

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: different version of squirrelmail - different behavior when log-in with wrong username/password

Miroslav Geisselreiter
On 9.9.2015 v 15:03 David C. Rankin wrote:

> On 09/09/2015 02:50 AM, Miroslav Geisselreiter wrote:
>> dovecot-1.0.7-9.el5_11.4, php-5.1.6-45.el5_11,
>> httpd-2.2.3-91.el5.centos, fail2ban-0.8.14-1.el5, CentOS 5 with kernel
>> 2.6.18-406.el5.
>> When I try login to squirrelmail with bad user or bad password, I get
>> message: Unknown user or password incorrect. squirrel-plugin write about
>> that to logfile and fail2ban read that bad attempts and do its work (I
>> want to use fail2ban for blocking attacks).
>>
>> New servers:
>> CentOS 6: squirrelmail-1.4.22-4.el6.noarch, plugin
>> squirrel_logger-2.3.1-1.2.7, sendmail-8.14.4-9.el6.x86_64,
>> dovecot-2.0.9-19.el6.1.x86_64, php-5.3.3-46.el6_6.x86_64,
> Miroslav,
>
>     It looks like the primary difference is:
>
> dovecot-1.0.7-9.el5_11.4
> <snip>
>
> New servers:
> CentOS 6:
> <snip>
> dovecot-2.0.9-19.el6.1.x86_64
>
>     If I understand that the problem you have is the difference in reporting a
> bad username between Centos 5 & 6, the most likely culprit is the difference in
> the way dovecot itself responds between versions 1 & 2.
>
>     I don't have a dovecot 1 box to test, but I would check the dovecot
> documentation to see if that is the source of the reporting difference. fail2ban
> itself should be capable of working with either
>
Thank you, David, for answer.
In the meantime I solved the situation:
I changed config for squirrel_logger plugin to allow logging also ERROR
messages and set filter for fail2ban to catch "ERROR: Connection dropped
by IMAP server". On CentOS 7 it was necessary to edit php.ini and set
date.timezone for my timezone, otherwise time in logs was incorrect (two
hours in past) and fail2ban did not blocked anything.
This is not the best solution but works for me at least now.

Miroslav.

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: different version of squirrelmail - different behavior when log-in with wrong username/password

Paul Lesniewski
On 9/9/15, Miroslav Geisselreiter <[hidden email]> wrote:

> On 9.9.2015 v 15:03 David C. Rankin wrote:
>> On 09/09/2015 02:50 AM, Miroslav Geisselreiter wrote:
>>> dovecot-1.0.7-9.el5_11.4, php-5.1.6-45.el5_11,
>>> httpd-2.2.3-91.el5.centos, fail2ban-0.8.14-1.el5, CentOS 5 with kernel
>>> 2.6.18-406.el5.
>>> When I try login to squirrelmail with bad user or bad password, I get
>>> message: Unknown user or password incorrect. squirrel-plugin write about
>>> that to logfile and fail2ban read that bad attempts and do its work (I
>>> want to use fail2ban for blocking attacks).
>>>
>>> New servers:
>>> CentOS 6: squirrelmail-1.4.22-4.el6.noarch, plugin
>>> squirrel_logger-2.3.1-1.2.7, sendmail-8.14.4-9.el6.x86_64,
>>> dovecot-2.0.9-19.el6.1.x86_64, php-5.3.3-46.el6_6.x86_64,
>> Miroslav,
>>
>>     It looks like the primary difference is:
>>
>> dovecot-1.0.7-9.el5_11.4
>> <snip>
>>
>> New servers:
>> CentOS 6:
>> <snip>
>> dovecot-2.0.9-19.el6.1.x86_64
>>
>>     If I understand that the problem you have is the difference in
>> reporting a
>> bad username between Centos 5 & 6, the most likely culprit is the
>> difference in
>> the way dovecot itself responds between versions 1 & 2.
>>
>>     I don't have a dovecot 1 box to test, but I would check the dovecot
>> documentation to see if that is the source of the reporting difference.
>> fail2ban
>> itself should be capable of working with either
>>
> Thank you, David, for answer.
> In the meantime I solved the situation:
> I changed config for squirrel_logger plugin to allow logging also ERROR
> messages and set filter for fail2ban to catch "ERROR: Connection dropped
> by IMAP server". On CentOS 7 it was necessary to edit php.ini and set
> date.timezone for my timezone, otherwise time in logs was incorrect (two
> hours in past) and fail2ban did not blocked anything.
> This is not the best solution but works for me at least now.

The best solution would be for you to fix your Dovecot configuration.
Works fine for me:

$ dovecot --version
2.2.16

$ telnet localhost 143
<snip>
A LOGIN [hidden email] asdf
A NO [AUTHENTICATIONFAILED] Authentication failed.
B LOGOUT
* BYE Logging out
B OK Logout completed.
Connection closed by foreign host.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: different version of squirrelmail - different behavior when log-in with wrong username/password

Miroslav Geisselreiter


Dne 9.9.2015 v 20:33 Paul Lesniewski napsal(a):

> On 9/9/15, Miroslav Geisselreiter <[hidden email]> wrote:
>> On 9.9.2015 v 15:03 David C. Rankin wrote:
>>> On 09/09/2015 02:50 AM, Miroslav Geisselreiter wrote:
>>>> dovecot-1.0.7-9.el5_11.4, php-5.1.6-45.el5_11,
>>>> httpd-2.2.3-91.el5.centos, fail2ban-0.8.14-1.el5, CentOS 5 with kernel
>>>> 2.6.18-406.el5.
>>>> When I try login to squirrelmail with bad user or bad password, I get
>>>> message: Unknown user or password incorrect. squirrel-plugin write about
>>>> that to logfile and fail2ban read that bad attempts and do its work (I
>>>> want to use fail2ban for blocking attacks).
>>>>
>>>> New servers:
>>>> CentOS 6: squirrelmail-1.4.22-4.el6.noarch, plugin
>>>> squirrel_logger-2.3.1-1.2.7, sendmail-8.14.4-9.el6.x86_64,
>>>> dovecot-2.0.9-19.el6.1.x86_64, php-5.3.3-46.el6_6.x86_64,
>>> Miroslav,
>>>
>>>      It looks like the primary difference is:
>>>
>>> dovecot-1.0.7-9.el5_11.4
>>> <snip>
>>>
>>> New servers:
>>> CentOS 6:
>>> <snip>
>>> dovecot-2.0.9-19.el6.1.x86_64
>>>
>>>      If I understand that the problem you have is the difference in
>>> reporting a
>>> bad username between Centos 5 & 6, the most likely culprit is the
>>> difference in
>>> the way dovecot itself responds between versions 1 & 2.
>>>
>>>      I don't have a dovecot 1 box to test, but I would check the dovecot
>>> documentation to see if that is the source of the reporting difference.
>>> fail2ban
>>> itself should be capable of working with either
>>>
>> Thank you, David, for answer.
>> In the meantime I solved the situation:
>> I changed config for squirrel_logger plugin to allow logging also ERROR
>> messages and set filter for fail2ban to catch "ERROR: Connection dropped
>> by IMAP server". On CentOS 7 it was necessary to edit php.ini and set
>> date.timezone for my timezone, otherwise time in logs was incorrect (two
>> hours in past) and fail2ban did not blocked anything.
>> This is not the best solution but works for me at least now.
> The best solution would be for you to fix your Dovecot configuration.
> Works fine for me:
>
> $ dovecot --version
> 2.2.16
>
> $ telnet localhost 143
> <snip>
> A LOGIN [hidden email] asdf
> A NO [AUTHENTICATIONFAILED] Authentication failed.
> B LOGOUT
> * BYE Logging out
> B OK Logout completed.
> Connection closed by foreign host.
>
You hit it. CentOS 5 and dovecot-1.0.7-9.el5_11.4 config.php for dovecot:
$imapPort               = 993;
$use_imap_tls = true;
Works fine.

But for CentOS 6 and 7 (dovecot-2.0.9-19.el6.1.x86_64,
dovecot-2.2.10-4.el7_0.1.x86_64) I had to change:
$imapPort               = 143;
$use_imap_tls = false;

Mirac.

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: different version of squirrelmail - different behavior when log-in with wrong username/password

Miroslav Geisselreiter
Dne 10.9.2015 v 12:08 Miroslav Geisselreiter napsal(a):

>
>
> Dne 9.9.2015 v 20:33 Paul Lesniewski napsal(a):
>> On 9/9/15, Miroslav Geisselreiter <[hidden email]> wrote:
>>> On 9.9.2015 v 15:03 David C. Rankin wrote:
>>>> On 09/09/2015 02:50 AM, Miroslav Geisselreiter wrote:
>>>>> dovecot-1.0.7-9.el5_11.4, php-5.1.6-45.el5_11,
>>>>> httpd-2.2.3-91.el5.centos, fail2ban-0.8.14-1.el5, CentOS 5 with
>>>>> kernel
>>>>> 2.6.18-406.el5.
>>>>> When I try login to squirrelmail with bad user or bad password, I get
>>>>> message: Unknown user or password incorrect. squirrel-plugin write
>>>>> about
>>>>> that to logfile and fail2ban read that bad attempts and do its
>>>>> work (I
>>>>> want to use fail2ban for blocking attacks).
>>>>>
>>>>> New servers:
>>>>> CentOS 6: squirrelmail-1.4.22-4.el6.noarch, plugin
>>>>> squirrel_logger-2.3.1-1.2.7, sendmail-8.14.4-9.el6.x86_64,
>>>>> dovecot-2.0.9-19.el6.1.x86_64, php-5.3.3-46.el6_6.x86_64,
>>>> Miroslav,
>>>>
>>>>      It looks like the primary difference is:
>>>>
>>>> dovecot-1.0.7-9.el5_11.4
>>>> <snip>
>>>>
>>>> New servers:
>>>> CentOS 6:
>>>> <snip>
>>>> dovecot-2.0.9-19.el6.1.x86_64
>>>>
>>>>      If I understand that the problem you have is the difference in
>>>> reporting a
>>>> bad username between Centos 5 & 6, the most likely culprit is the
>>>> difference in
>>>> the way dovecot itself responds between versions 1 & 2.
>>>>
>>>>      I don't have a dovecot 1 box to test, but I would check the
>>>> dovecot
>>>> documentation to see if that is the source of the reporting
>>>> difference.
>>>> fail2ban
>>>> itself should be capable of working with either
>>>>
>>> Thank you, David, for answer.
>>> In the meantime I solved the situation:
>>> I changed config for squirrel_logger plugin to allow logging also ERROR
>>> messages and set filter for fail2ban to catch "ERROR: Connection
>>> dropped
>>> by IMAP server". On CentOS 7 it was necessary to edit php.ini and set
>>> date.timezone for my timezone, otherwise time in logs was incorrect
>>> (two
>>> hours in past) and fail2ban did not blocked anything.
>>> This is not the best solution but works for me at least now.
>> The best solution would be for you to fix your Dovecot configuration.
>> Works fine for me:
>>
>> $ dovecot --version
>> 2.2.16
>>
>> $ telnet localhost 143
>> <snip>
>> A LOGIN [hidden email] asdf
>> A NO [AUTHENTICATIONFAILED] Authentication failed.
>> B LOGOUT
>> * BYE Logging out
>> B OK Logout completed.
>> Connection closed by foreign host.
>>
> You hit it. CentOS 5 and dovecot-1.0.7-9.el5_11.4 config.php for dovecot:
> $imapPort               = 993;
> $use_imap_tls = true;
> Works fine.
>
> But for CentOS 6 and 7 (dovecot-2.0.9-19.el6.1.x86_64,
> dovecot-2.2.10-4.el7_0.1.x86_64) I had to change:
> $imapPort               = 143;
> $use_imap_tls = false;
>
> Mirac.
Correction: I had to change config.php for squirrelmail -
/etc/squirrelmail/config.php (not for dovecot).


------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Loading...