Re: pam problem

2012-05-20 Thread Brian
On Sat 19 May 2012 at 15:04:28 -0600, Glenn English wrote: > > On May 19, 2012, at 2:35 PM, Camaleón wrote: > > > You can also run rkhunter to scan your system. > > Done. It says: > > > File properties checks... > > Files checked: 128 > > Suspect files: 0 > > > > Rootkit checks... >

Re: pam problem

2012-05-20 Thread Camaleón
On Sun, 20 May 2012 09:40:02 -0600, Glenn English wrote: > On May 20, 2012, at 4:55 AM, Camaleón wrote: > You can also run rkhunter to scan your system. > > rkhunter may not have found any rootkits, but it found a couple inetd > entries it didn't care for. I had ident turned on, and it does

Re: pam problem

2012-05-20 Thread Glenn English
On May 20, 2012, at 4:55 AM, Camaleón wrote: >>> You can also run rkhunter to scan your system. rkhunter may not have found any rootkits, but it found a couple inetd entries it didn't care for. I had ident turned on, and it doesn't like Amanda, my backup. > 1/ Monitor the Fail2ban logs to ch

Re: pam problem

2012-05-20 Thread Camaleón
On Sat, 19 May 2012 15:04:28 -0600, Glenn English wrote: > On May 19, 2012, at 2:35 PM, Camaleón wrote: > >> You can also run rkhunter to scan your system. > > Done. It says: > > File properties checks... > Files checked: 128 > Suspect files: 0 > > Rootkit checks... > Rootkits chec

Re: pam problem

2012-05-20 Thread Camaleón
On Sat, 19 May 2012 14:59:19 -0600, Glenn English wrote: > On May 19, 2012, at 2:35 PM, Camaleón wrote: > >> Is your Dovecot publicly accesible? > > Yes. Okay, then the attacks make more sense. What still worries me is the empty (yet unknown) IP address of the machine from where this is comi

Re: pam problem

2012-05-19 Thread Glenn English
On May 19, 2012, at 2:35 PM, Camaleón wrote: > You can also run rkhunter to scan your system. Done. It says: > File properties checks... > Files checked: 128 > Suspect files: 0 > > Rootkit checks... > Rootkits checked : 110 > Possible rootkits: 0 > > Applications checks... >

Re: pam problem

2012-05-19 Thread Glenn English
On May 19, 2012, at 2:35 PM, Camaleón wrote: > Is your Dovecot publicly accesible? Yes. > I also get login tries in my Cyrus > coming from the outside, they're usually from automated bots running on > zombi windows machines... if that's the case, you can apply counter-measures > to cut these

Re: pam problem

2012-05-19 Thread Camaleón
On Sat, 19 May 2012 14:05:41 -0600, Glenn English wrote: > I am getting many, many entries in auth.log like these: > > /var/log/auth.log:May 17 13:31:14 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=webmaster rhost= > /var/log/