Bruteforce from 127.0.0.1 with Dovecot / imap.

[unihostbrasil]

wait wait, it will log user IP even if brute force attacks come from 127.0.0.1, 127.0.0.1 is localhost, so this looks like attack from server it self, from some website or user account, how it will log user ip when user is server, thats why brute force attacks are from 127.0.0.1 ip. or im missing something here or dont understand ?

If the attack comes from RoundCube, the Dovecot log registers your local IP (127.0.0.1) because it's an local script. RoundCube is trying to connect into your Dovecot, not the attacker. Since the version 0.5 RoundCube also log the user IP so you can identify it. You must check the RoundCube log (if the attack comes from it) instead of Dovecot log.

 

[lonerunner]

If the attack comes from RoundCube, the Dovecot log registers your local IP (127.0.0.1) because it's an local script. RoundCube is trying to connect into your Dovecot, not the attacker. Since the version 0.5 RoundCube also log the user IP so you can identify it. You must check the RoundCube log (if the attack comes from it) instead of Dovecot log.

Hmmm, ok now i understand what are you saying. In that case, ill have to backup my roundcube and update with newer version tomorrow and see what will i get as a respond in my logs.

 

[nobaloney]

The brute force attacks come from 127.0.0.1 because RoundCube is attempting the password from your machine. The error logs may show the IP# connecting to RoundCube, which may be what you need to block.

Jeff

 

[Richard G]

The error logs may show

Exactly which logs? Because there seems to be some confusion about that.

 

[silvergo]

monit

Do you have monit installed on your machine?
Check if you have a service like this:
"check process dovecot with pidfile ..."

Bye

 

[toml]

In one of your httpd logs you should find the lines where the attacker was using roundcube or other webmail. If it was roundcube look for "POST /roundcube/" that is part of the string you will see.
grep "POST /roundcube/" /var/log/httpd/domains/*
should show you all the attempts at roundcube. If they used the IP address, then you need to use /var/log/httpd/* as well. Not all are attacks, this command will just show you where the attempts to log in to roundcube were made, some might have succeeded. You can then match the timestamps from these with the dovecot log and find the attackers ip address.

 

[Richard G]

Thanks for the answers, I will have a look at it.