security: someone using IMAP on my server?

**cef** · 04-21-2006, 04:13 AM

Hi,

I just saw this in my latest logwatch report:

--------------------- Connections (secure-log) Begin ------------------------

Connections:
Service imap:
127.0.0.1: 1 Time(s)
218.252.52.39: 3 Time(s)

---------------------- Connections (secure-log) End -------------------------

The IP isn't mine -- it's from Hong Kong. I just banned it in iptables.

What exactly does the message mean? Did someone use IMAP on my server to send mail? Did they actually log into a mail account via IMAP?

How would I go about investigating this on my machine? Where would I look?

Thanks in advance for any help.

**rainboy** · 04-21-2006, 05:00 AM

logwatch doesn't show that much information in your log here, so i would look to the original log files for details.

However connecting to your imap service is possible for everyone, just hope they are not able to authenticate, then you would have another problem.

I wouldnt worry to much about this though, probably just someone knocking on your imap port and got a response from it.

Kind regards,
Patrick

**cef** · 04-21-2006, 06:41 AM

Rainboy, thanks for the help.

Originally Posted by rainboy

logwatch doesn't show that much information in your log here, so i would look to the original log files for details.

That's what I don't know. What's the mail log file? I'm running CentOS. I guess I can poke in the logwatch source and try and find it.

Originally Posted by rainboy

However connecting to your imap service is possible for everyone, just hope they are not able to authenticate, then you would have another problem.

I didn't know if the logwatch notification meant that someone *had* authenticated, or if they were merely *trying* to log in. That's the key, and hence my question here.

Originally Posted by rainboy

I wouldnt worry to much about this though, probably just someone knocking on your imap port and got a response from it.

Kind regards,
Patrick

That's what I figured, but I wanted to be sure.

Thanks again.

**rainboy** · 04-21-2006, 07:31 AM

Cef,

I think you need the /var/log/maillog for that, not 100% sure though. Otherwise do a grep in the /var/log for that IP address and i am sure the correct logfile will popup.

Kindest regards,
Patrick

**cef** · 04-21-2006, 07:45 AM

Thanks Patrick. I did some digging, it's in /var/log/secure and was written by xinetd.

I couldn't find the IP referenced in any of exim's logs, so I am assuming that no one got in from that IP and sent mail.

You're right; I think it was just someone sniffing around.

Thanks again for the help.

Charles.

LinkBack

Thread Tools

Display

security: someone using IMAP on my server?

Bookmarks

Bookmarks

Posting Permissions