Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: leonplk on December 16, 2024, 02:46:34 PM
-
Hello, all.
I see the lines like follwoing in the /var/log/secure:
Dec 16 15:38:08 extern auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=support rhost=127.0.0.1
Dec 16 15:37:40 extern auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=soporte rhost=127.0.0.1
and many other stupid ruser names.
After 2 days struggle with attempt to understand where this comes from also with ChatGPT help I give up - can't find the source IP of the attacker to block him.
Can someone more experienced help me with this?
Many thanks.
-
Look in qpsmtpd or sqpsmtpd logs at those times.
Install https://wiki.koozali.org/Fail2ban
-
> ChatGPT
For debugging Koozali SME it is probably worse than useless as it doesn't understand properly about events, actions and templates. Koozali is not quite a standard Linux server. Treat the information ChatGPT gives you with extreme caution. My web dev tried it and half broke my server before his changes were lost again on a reconfigure.
You are better off searching and reading here, and the wiki. This has been answered many times before (so much for ChatGPT then.....)
Logs for your incoming mail are here:
/var/log/qpsmtpd/current
Best thing to use is Geoip to block the worst offenders.
-
Thousands of thanks!!
It worked - my fail2ban was missing the correct sqpsmtpd configuration!
The main issue was with time stamp - needed to convert it from tai64n...
Now all works (with the help of ChatGPT - I tought it to remember that this is SME10).
Thanks a lot again!
-
the help of ChatGPT
Like I said before - with Koozali just don't.
You don't know enough to know if it is telling you the truth or lying convincingly......
The latter will get you in big trouble one day.