I am configuring web mail honeypot in centOS 6.6 using SquirrelMail, postfix and Dovecot. I need to log all the entered user name and plain text passwords for web mail login.
Modifications done to /etc/dovecot/conf.d/10-logging.conf to log them
auth_verbose = yes
auth_debug_passwords = yes
auth_verbose_passwords = plain
Dovecot logs are able to log only the failed attempted passwords for existing users. These logs are not able to log any non-existing user password.
Logs:(/var/log/maillog)
User: ryan,
correct Password: 4444,
Entered Password: 1234
Mar 23 01:08:06 localhost dovecot: auth: Debug: pam(ryan,::1): lookup
service=dovecot
Mar 23 01:08:06 localhost dovecot: auth: Debug: pam(ryan,::1): #1/1
style=1 msg=Password:
Mar 23 01:08:09 localhost dovecot: auth: pam(ryan,::1):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: 1234)
Mar 23 01:08:11 localhost dovecot: auth: Debug: client out:
FAIL#0111#011user=ryan
Mar 23 01:08:11 localhost dovecot: imap-login: Aborted login (auth
failed, 1 attempts): user=, method=PLAIN, rip=::1, lip=::1, TLS
Mar 23 01:08:18 localhost dovecot: auth: Debug: auth client connected
(pid=24345)
Mar 23 01:08:18 localhost dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=::1#011rip=::1#011lport=993#011rport=42375#011resp=AHJ5YW4ANDQ0NA==
Non-existing user:bob, password:1234
Mar 23 02:19:48 localhost dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/auth
Mar 23 02:19:48 localhost dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/auth/libauthdb_ldap.so
Mar 23 02:19:48 localhost dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/auth/libdriver_sqlite.so
Mar 23 02:19:48 localhost dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/auth/libmech_gssapi.so
Mar 23 02:19:48 localhost dovecot: auth: Debug: pam(bob,::1): lookup
service=dovecot
Mar 23 02:19:48 localhost dovecot: auth: Debug: pam(bob,::1): #1/1
style=1 msg=Password:
Mar 23 02:19:50 localhost dovecot: auth: pam(bob,::1): unknown user
Mar 23 02:19:52 localhost dovecot: auth: Debug: client out:
FAIL#0111#011user=bob
Mar 23 02:19:52 localhost dovecot: imap-login: Aborted login (auth
failed, 1 attempts): user=, method=PLAIN, rip=::1, lip=::1, TLS
According to dovecot log documentation, the passwords will be saved as hidden fields if dovecot is using PAM authentication. I was not able to find the failed login username and plain text passwords logs for PAM. I am interested in configuring to log all the entered passwords at dovecot or PAM or squirrelmail or any other related logs to know all the hackers username and password entered into the webmail honeypot . Please let me know if you need any more configuration details. Thank you.