0

In my Logwatch logs I found 3 lines that look weird to me, I speculate that they are hacking attempts.

IMAP connect from @ [::ffff:121.183.126.37]DEBUG: Connection, ip=[::ffff:5.102.221.2]: 6 Time(s)

The address 121.183.126.37 is a Korean IP, not ours, and is probably the attacker. The other address, 5.102.221.2, is our IP. I have 3 more similar lines with the same Korean IP but with a different IP of our clients.

IMAP connect from @ [::ffff:2.187.25.14]checkmailpasswd: FAILED: admin - short names not allowed from @ [::ffff:2.187.25.14]DEBUG: Connection, ip=[::ffff:5.102.221.2]: 1 Time(s)

This time a source IP of 2.187.25.14, from an Iranian registrar, and our client IP 5.102.221.2.

IMAP connect from @ [::ffff:2.187.25.14]checkmailpasswd: FAILED: admin - short names not allowed from @ [::ffff:2.187.25.14]IMAP connect from @ [::ffff:5.102.221.2]INFO: LOGIN, user=user@domain.com, ip=[::ffff:5.102.221.2]: 1 Time(s)

I changed the use to user@domain.com.

Can anyone help me understand this? I understand that someone is trying to bruteforce us but how is our IP address involved in this?

Scott Pack
  • 14,907
  • 10
  • 53
  • 83
Jack Deeds
  • 3
  • 1

1 Answers1

1

The first couple of lines are remote connections trying to bruteforce an attack (all the ones with obviously remote IP addresses)

Do you have a webmail interface on your mailserver? If you do, connections from webmail will show up as from the local IP address. The last entr, which originates from your IP address and uses a user@domain format, is probably someone logging into webmail and getting their password wrong.

(Edited in response to your comment)

You logfiles are showing the connecting IP address and the IP address that is being connected to. This is why there is an 'attacking ip' and 'your ip'. This is normal logging syntax for postfix as far as I can tell.

Daniel Lawson
  • 5,476
  • 22
  • 27
  • about the bruteforce of the first line - i know that. but the 5.102.221.2 is ip of my client (for sure) so why there is an attacker ip and my client ip in the same line? what it's mean? i have webmail interface yes. but still it's the same thing: 1 ip of the attacker and 1 ip of my client. that what scare me. – Jack Deeds Jul 27 '13 at 02:09
  • so it's mean that the ip address from iran is the attacker and it's try to connect to my client? it's make no sense because it should connect to the server. i got it all wrong? – Jack Deeds Jul 27 '13 at 12:24
  • I'm not that familiar with postfix. At a guess, it's actually collapsing multiple lines: You have one IMAP line showing the connection attempt, and one DEBUG line appended to it showing a connection from your client. Your original post suggested that 'your ip' was your server ip, not a client IP, and I misread that. I still think these are unrelated log messages – Daniel Lawson Jul 27 '13 at 21:06