2015-03-23

I am configuring web mail honeypot in centOS 6.6 using SquirrelMail, postfix and Dovecot. I need to log all the entered user name and plain text passwords for web mail login.

Modifications done to /etc/dovecot/conf.d/10-logging.conf to log them

auth_verbose = yes

auth_debug_passwords = yes

auth_verbose_passwords = plain

Dovecot logs are able to log only the failed attempted passwords for existing users. These logs are not able to log any non-existing user password.

Logs:(/var/log/maillog)

User: ryan,
correct Password: 4444,
Entered Password: 1234

Mar 23 01:08:06 localhost dovecot: auth: Debug: pam(ryan,::1): lookup
service=dovecot

Mar 23 01:08:06 localhost dovecot: auth: Debug: pam(ryan,::1): #1/1
style=1 msg=Password:

Mar 23 01:08:09 localhost dovecot: auth: pam(ryan,::1):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: 1234)

Mar 23 01:08:11 localhost dovecot: auth: Debug: client out:
FAIL#0111#011user=ryan

Mar 23 01:08:11 localhost dovecot: imap-login: Aborted login (auth
failed, 1 attempts): user=, method=PLAIN, rip=::1, lip=::1, TLS

Mar 23 01:08:18 localhost dovecot: auth: Debug: auth client connected
(pid=24345)

Mar 23 01:08:18 localhost dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=::1#011rip=::1#011lport=993#011rport=42375#011resp=AHJ5YW4ANDQ0NA==

Non-existing user:bob, password:1234

Mar 23 02:19:48 localhost dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/auth

Mar 23 02:19:48 localhost dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/auth/libauthdb_ldap.so

Mar 23 02:19:48 localhost dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/auth/libdriver_sqlite.so

Mar 23 02:19:48 localhost dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/auth/libmech_gssapi.so

Mar 23 02:19:48 localhost dovecot: auth: Debug: pam(bob,::1): lookup
service=dovecot

Mar 23 02:19:48 localhost dovecot: auth: Debug: pam(bob,::1): #1/1
style=1 msg=Password:

Mar 23 02:19:50 localhost dovecot: auth: pam(bob,::1): unknown user

Mar 23 02:19:52 localhost dovecot: auth: Debug: client out:
FAIL#0111#011user=bob

Mar 23 02:19:52 localhost dovecot: imap-login: Aborted login (auth
failed, 1 attempts): user=, method=PLAIN, rip=::1, lip=::1, TLS

According to dovecot log documentation, the passwords will be saved as hidden fields if dovecot is using PAM authentication. I was not able to find the failed login username and plain text passwords logs for PAM. I am interested in configuring to log all the entered passwords at dovecot or PAM or squirrelmail or any other related logs to know all the hackers username and password entered into the webmail honeypot . Please let me know if you need any more configuration details. Thank you.

Show more