DNS Inspection Denial of Service Vulnerability check

Hi Everyone,
I am checking this cisco link ---http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa for
DNS Inspection Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the
show running-config access-list <acl_name>
command where
acl_name
is the name of the access-list used in the
class-map
to which the DNS inspection is applied.
This can be found by using the
show running-config class-map
and
show running-config policy-map
commands.
The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
ciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit tcp any any
ORciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit ip any any
ciscoasa# show running-config class-map
class-map DNS_INSPECT_CP
match access-list DNS_INSPECT
ciscoasa# show running-config policy-map
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
class DNS_INSPECT_CP
  inspect dns preset_dns_map
Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
show running-config policy-map
DNS Inspection Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the show running-config access-list <acl_name>
command where acl_name
is the name of the access-list used in the class-map
to which the DNS inspection is applied.
This can be found by using the show running-config class-map
and show running-config policy-map
commands.
The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
ciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit tcp any any
ORciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit ip any any
ciscoasa# show running-config class-map
class-map DNS_INSPECT_CP
match access-list DNS_INSPECT
ciscoasa# show running-config policy-map
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
class DNS_INSPECT_CP
  inspect dns preset_dns_map
Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
I check my asa and ran the command
show running-config policy-map
policy-map global_policy
class inspection_default
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect dns
  inspect http
  inspect ftp
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map map
class inspection_default
Does this confirm that this asa is vulnerabile?
Regards
Mahesh

Hi,
The post says this
Cisco ASA Software is affected by this vulnerability if the DNS  Application Layer Protocol Inspection (ALPI) engine is configured to  inspect DNS packets over TCP.
So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.
It also says
Note:Cisco ASA Software will not inspect DNS packets over TCP by default.
And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.
- Jouni

Similar Messages

  • DNS Inspection Denial of Service Vulnerability

    Advisory ID: cisco-sa-20131009-asa
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
    I have a Pix running version 8.0.4 with the following configuration:
    inside interface:      192.168.231.254/255.255.255.0
    outside interface:     10.100.2.254/255.255.255.0
    no nat-control
    access-list test permit ip any any log
    access-group test in interface outside
    access-group test in interface inside
    I have a window 2008R2 residing on the Internal interface of the firewall.  The domain controller resides on the outside interface of the firewall.
    I went ahead and implement the change recommended by Cisco
    access-list DNS_INSPECT extended permit udp any any
    class-map DNS_INSPECT_CP
       match access-list  DNS_INSPECT
    policy-map global_policy
       class DNS_INSPECT_CP
         inspect dns preset_dns_map
    However, after implement the workaround, my windows 2008R2 machine on the inside network can NOT join with AD on the outside network.
    on the log of the firewall I see this:
    Oct 31 14:34:09 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
    Oct 31 14:34:17 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
    I even change the DNS maximum length to 8192 but it still does not work. 
    I remove the recommendation from the configuration, everything works fine after that.
    Anyone knows why?
    Thanks in advance

    Julio Carvajal wrote:U do not have this command right available at the CLI rightmessage-length maximum client auto
         I do
    CiscoPix# sh run policy-map
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 1024
      message-length maximum client auto
    policy-map global_policy
    class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect sqlnet
      inspect dns preset_dns_map
    class class_sunrpc_tcp
      inspect sunrpc
    class DNS_INSPECT_CP
      inspect dns preset_dns_map
    CiscoPix#
    Julio Carvajal wrote: Then clear-local host try one more time and provide the logs.Note:access-list test permit ip any any logaccess-group test in interface outsideaccess-group test in interface insideThat ACL means u have no firewall in place
    I am very aware of this.  At this point, it does not matter, it just want the firewall to function like a routing device.
    It still does NOT work.  Here is the log:
    Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61982) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]
    Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61983) -> outside/10.100.2.128(389) hit-cnt 1 first hit [0x63a9cac7, 0x0]
    Oct 31 17:57:25 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
    Oct 31 17:57:32 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
    Oct 31 17:57:33 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(50955) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]

  • CSCum96401 - Cisco ASA IKEv2 Denial of Service Vulnerability

    Hi Everyone,
    ASA is configured with ikev2 and below is config
    5520# show running-config crypto ikev2 | include enable
    crypto ikev2 enable outside client-services port 443
    5520# show running-config crypto map | include interface
    crypto map outside_map interface outside
    I checked below weblink
    CSCum96401 - Cisco ASA IKEv2 Denial of Service Vulnerability
    Not Affected
    Not Affected
    Not Affected
    8.4(7.15)
    Not Affected
    8.6(1.14)
    Not Affected
    9.0(4.8)
    9.1(5.1)
    Not Affected
    Not Affected
    https://tools.cisco.com/bugsearch/bug/CSCum96401
    ASA which i am running has version Cisco Adaptive Security Appliance Software Version 8.4(7)
    sh flash shows
    asa847-k8.bin
    Need to confirm if my ASA is not effected by this bug?
    Regards
    MAhesh

    Hi Mahesh,
    Your ASA code  (asa847-k8.bin) is affected by this Bug, recommended release is 8.4(7.23) and later.
    this bug is first fixed in 8.4(7.15).
    Thanks,
    Prashant Joshi

  • Cisco works LMS 4.0 ,Apache HTTP Server CVE-2011-3192 Denial Of Service Vulnerability

    Cisco works LMS 4.0 ,Apache HTTP Server CVE-2011-3192 Denial Of Service Vulnerability
    This vulnerability has been fixed in release apache 2.2.20 and further corrected
    in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the
    legacy 2.0.65 release,
    Can any one give the steps to upgrade the apache http server 2.2.10 to 2.2.21 in windows 2008 server?

    For the following PSIRT:
    http://www.cisco.com/en/US/products/csa/cisco-sa-20110830-apache.html
    Download the following patch "lms40-win-Oct2011-su1-0.zip" :
    http://www.cisco.com/cisco/software/release.html?mdfid=283434800&flowid=19062&softwareid=280775103&os=Windows&release=4.0&relind=AVAILABLE&rellifecycle=&reltype=latest
    The instructions should be in the zip file how to install the patch.
    This should cover all theses bugs that you can query in the bug tool kit:
    http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
    CSCte45565
    CSCto12712
    CSCto23584
    CSCto23622
    CSCto35544
    CSCto35577
    CSCtq48990

  • Java Hash Collision Denial Of Service Vulnerability

    There is Java Hash Collision Denial Of Service Vulnerability according to these sources:
    http://tomcat.10.n6.nabble.com/SECURITY-Apache-Tomcat-and-the-hashtable-collision-DoS-vulnerability-td2405294.html
    http://www.nruns.com/_downloads/advisory28122011.pdf
    http://www.securityfocus.com/bid/51236
    It mentions that Oracle is not going to release the fix for Java. Does anyone knows if Oracle has any plan to release the fix or intend to ever fix it or not?
    Thanks,
    kymeng
    Edited by: user6992787 on Feb 10, 2012 12:08 PM

    I don't really see this as an Oracle problem - more a Tomcat problem. Any collection algorithm will have limitations and in this case the Tomcat team use the Java hashtable to make use of the O(1) performance when the hashes of the keys are effectively random and have accepted the possible worst case O(n^2) performance. Either they should have used a TreeMap with O(nlogn) performance OR they should create their own implementation of Map that that does not permit the DOS attack.
    I have never done any performance comparisons between HashMap and TreeMap but for many years now I pretty much always use a TreeMap since I rarely find performance a significant problem (of course I don't write high throughput applications such as Tomcat). I don't really see how Oracle should be involved in this problem; maybe the Tomcat team should be doing performance comparisons and/or research into algorithms that do not allow this DOS.

  • Denial of Service Vulnerability

    Jdeveloper 11.1.1.4
    We had an security audit on our ADF application and one of the vulnerabilities found was a XML recursive Entity Expansion vulnerability from the login button.   AKA Billion laughs DoS attack. 
    The parser used is
    weblogic.xml.jaxp.RegistryDocumentBuilder
    Weblogic jvm is configured with these paramters
    org.xml.sax.driver=weblogic.xml.jaxp.RegistryXMLReader
    org.xml.sax.parser=weblogic.xml.jaxp.RegistryParser
    Is there a weblogic configuration parameter that can be set to limit entity expansion?
    weblogic.xml.jaxp.RegistryDocumentBuilder parse method is called from DefaultMarshalingService
    Which expands this DOCTYPE entity to 300,000 characters
    <!DOCTYPE foo [<!ENTITY lol "lol"><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">]><m xmlns="http://oracle.com/richClient/comm"><k v="type"><s>&lol5;</s></k></m>
    Details of the vulnerabiltiy
    1 Unrestricted XML
    Entity Expansion
    CVSS: 7.1
    Risk: High
    The XML parser used by the application to process input fields allows user-supplied
    document type declarations (DTDs). Consequently, an attacker can abuse this feature
    to cause a denial service condition on the web server through the use of XML entity
    expansion attacks.
    An example modified request with the exploit inserted in red.
    =&org.apache.myfaces.trinidad.faces.FORM=loginForm&javax.faces.ViewState=!4
    i0dvg2x&oracle.adf.view.rich.DELTAS={d1%3a%3amsgDlg%3d{titleIcon
    Source%3dhttps%3a//11.254.250.200/app/afr/error.png,title%3dEr
    ror}}&event=loginBtn&event.loginBtn=<!DOCTYPE+foo+[<!ENTITY+lol+
    "lol"><!ENTITY+lol1+"%26lol%3b%26lol%3b%26lol%3b%26lol%3b%26lol%
    3b%26lol%3b%26lol%3b%26lol%3b%26lol%3b%26lol%3b"><!ENTITY+lol2+"
    %26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26l
    ol1%3b%26lol1%3b%26lol1%3b%26lol1%3b"><!ENTITY+lol3+"%26lol2%3b%
    26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lo
    l2%3b%26lol2%3b%26lol2%3b"><!ENTITY+lol4+"%26lol3%3b%26lol3%3b%2
    6lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol
    3%3b%26lol3%3b"><!ENTITY+lol5+"%26lol4%3b%26lol4%3b%26lol4%3b%26
    lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4
    %3b">]><m+xmlns%3d"http%3a//oracle.com/richClient/comm"><k+v%3d"
    type"><s>%26lol5%3b</s></k></m>
    The following screenshot demonstrates that the above login request takes
    approximately 20 times longer to process than a normal login request. With
    additional entity expansions, an attacker could bring down the web server
    completely.
    Best Practice
    Configure the XML parser to not process DTDs in the <!DOCTYPE> declaration. In addition, URI
    resolution should be disabled to prevent against external entity attacks and denial of service
    conditions caused by hanged requests.
    This issue appears to be a vulnerability in Oracle’s Application Development Framework (ADF). If
    that is the case, consider using a web application firewall to block malicious requests until Oracle
    issues a patch.

    Don, I'm not sure that there is a parameter to do this. However you can do it in java like outlinded here https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing or https://gist.github.com/Prandium/dee14ea650ff7900f2c0
    One other way is to implement a servelet filter which scans all parameters and rejects all xxe typ parameters.
    Timo

  • CSCui88426 - Cisco IOS Software IKEv2 Denial of Service Vulnerability

    Hi! I would appreciate if anyone can confirm for below.
    For the routers using IPSEC tunnels with ISAKMP enabled (without any IKEv2 config),  can the attacker exploit this vulnerability by sending malformed IKEv2 packets?
    Both initiator and responder must have IKEv2 config to be able to trigger this vulnerability? We have many routers using IPSEC tunnels with IKEv1 and not sure whether this vulnerability is affected or not.
    Thanks & Regards,

    A device does not need to be configured with any IKEv2-specific features to be vulnerable?

  • Xerver Multiple Request Denial of Service Vulnerability

    I developed my appln on JDev10.1.2 with Java and JSP and deployed it onto embeded OC4J. It was released on production and it is avilable to people working within our company network. We want it to be avilable for the public, so we wanted to open the firewall. But, our web admin told that the PCI scan found a vulenrability on the OC4J server. The webserver we use is Xerver. Please let me know if we can find any patch for this server to resolve the issue. Please help me as I need to resolve this ASAP.
    Thanks.

    Viani,
    I, of course, was being tongue-in-cheek... anyway, are you looking for a patch to OC4J or for Xerver? I've not run into anyone on this forum using Xerver. If you're looking for OC4J information, you may have better luck on the OC4J forum: OC4J
    Regards,
    John

  • CSCum76937 - CUCM Distributed denial-of-service vulnerability on NTP server

    I'd request that the built-in iptables on the CUCM, which we users can't adjust at all, could be autoadjusted by the CUCM itself to remove this DDOS vector, namely by restricting NTP to/from the CUCM only to these hosts:
       the NTP server(s) it talks with, as configured in 'System>Phone NTP Reference'
       the device(s) subscribed to it, who get their time from it.
    why can that not be done?

    thanks, Wes--that response helps to frame the sometime-conflicting tensions between preserving performance and providing security.
    I've been thinking about that, and the really excellent Cymru 'secure NTP template' (see
    http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html)
    , trying to think about what could be done to offer better protection from the NTP attacks with less dynamicness, thinking that it's still important to offer something--all of my CUCMs that are outside firewalls have been attacked and participated in NTP-amplification attacks--and offer these suggestions as to things that the iptables might be leveraged to protect the CUCM, and at least as importantly everyone else FROM the CUCM, in a more static way:
    * turn off control queries TO the CM--these are the vector into the CM that results in the amplification DDOS
    * permit NTP into the CM only from the configured NTP servers the CM is using--yes, that's slightly 'dynamic', but will only occur infrequently and can be discretely done--scale is very small.
    * the remaining really-dynamic part would be "only serve ntp to configured clients", and I can (reluctantly) understand why you push back on that.  but if the first two points could be provided for, particularly the control-query filter which is the vector for at least the present threat, that's a huge improvement now.
    the Cyrmu template under Unix NTP endsystems has some useful suggestions that could be adapted for CUCM iptables:
    (quote from Cyrmu):
    You can use your standard host firewall filtering capabilities to limit who the NTP process talks to.  If you're using Linux and the host is acting as an NTP client only, the following iptables rules could be adapted to shield your NTP listener from unwanted remote hosts.
    -A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
    -A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j
    (end quote)

  • Is there any way to harden Dovecot against POP/IMAP denial of service attacks?

    It doesn’t happen very often, but every so often a script kiddie on the Internet hits Dovecot's POP ports on our mail server hard enough to bring mail service to a crawl such that legit users can’t log in to retrieve their mail.  I would say that with our 2.66GHz Intel Core 2 Duo Mac Mini Server, when we receive sustained POP login attacks that exceed ten logins per second, then eventually Dovecot gets swamped with so many requests that legit users are excluded.  [Our server runs runs OS X Server 10.6.8-10K549, by the way, and Dovecot 1.1.2apple0.5 is installed as determined by running “dovecotd --version”.  We keep the mail sever up to date with all available Apple software updates on a weekly basis, so we have the latest and greatest security updates.]
    Here’s the problem: I’ve been studying the Dovecot 1.x Wiki at http://wiki1.dovecot.org/ and finding a number of parameters that *sort* of address this denial-of-service vulnerability, but none that appear to harden Dovecot in a similar fashion as ssh or sftp are hardened.  By this, I mean that when ssh or sftp detect multiple login attempts originating from the same address above some threshold, then future login attempts are ignored for a solid fifteen minutes no matter what the login name was in the attempts.  I’d like something similar for Dovecot.
    I am aware of the “mail_max_userip_connections” setting which can be set independently for POP and IMAP service (see http://wiki1.dovecot.org/MainConfig?highlight=%28mail_max_userip_connections%29).  This almost does what I want in that it indeed restricts the number of logins for a particular user coming from a single IP address.  The problem is that the script kiddies typically scatter their attacks over hundreds of different login names and they may only attempt three or four logins per user name.  What I really want is a parameter which starts to ignore logins no matter what the user name if too many come from a single IP address at the same time.  Against this, I also need to balance my mail server restrictions to allow perhaps five or ten of my users with laptops to be behind a remote firewall, so all of their legit logins may hit my server perhaps three to ten at a time which could potentially look like an attack if my tuning parameter is set too low.  What I’d really like to find is a tuning parameter that excludes concerted attacks without excluding my legitimate users.  I also don’t want to invest in extremely expensive (>$10,000) “smart” firewalls that adaptively look for this type of attack, such as are offered by Netgear and other networking equipment manufacturers.
    By examining /etc/dovecot/dovecot.conf on my mail server, it seems that Apple’s defaults are to set IMAP mail_max_userip_connections to 20, and for POP to leave the mail_max_userip_connections parameter commented out.  Would there be any downside to enabling POP's mail_max_userip_connections to 20 as well?  Offhand I can’t see how this would affect my users.  Unfortunately, I also think that if I set the POP mail_max_userip_connections to 20 this won’t have any effect on the attackers since they typically won’t try 20 different passwords for the same login name in a given attack.  I’ll post a segment of a log showing an actual attack that occurred today from the San Bernadino School District that I’ve since blocked in my network’s firewall, but it will illustrate the type of hard-core denial-of-service attack that I’m referring to.  The login attempts were coming in fast, around forty-per-second, and my mail service went down in a matter of minutes as a result.  [Yes: I will report this user…  I haven’t gotten around to it yet with other issues.]
    Any thoughts?

    Here’s a ten second snippet from my mail server's log, showing how intense the login frequency was from the attacker, and also how (s)he was "scattering" the login names used which I suspect would be quite hard to filter out using POP's mail_max_userip_connections parameter.  The attack lasted from 1:43:39 through a server restart at 1:50:18, and even about a minute later.  The attack stopped at 1:51:36 before I was able to add a firewalling rule to my router or to exclude logins from the 163.150/16 subnet from my router [FYI — that's the San Bernadino Country School District, according to http://whois.arin.net/rest/net/NET-163-150-0-0-1/pft ].
    Any thoughts on how to block this type of POP attack in Dovecot?
    [FYI — I changed my actual server name to 'myserver' and the actual admin name to 'Administrator'.]
    Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
    Jan 13 13:43:39 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
    Jan 13 13:43:39 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
    Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
    Jan 13 13:43:39 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
    Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
    Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](account,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(account,163.150.246.27): lookup failed for user: account
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](access,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(access,163.150.246.27): lookup failed for user: access
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](pwrchute,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(pwrchute,163.150.246.27): lookup failed for user: pwrchute
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
    Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
    Jan 13 13:43:42 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
    Jan 13 13:43:42 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
    Jan 13 13:43:42 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:42 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:42 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
    Jan 13 13:43:42 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
    Jan 13 13:43:42 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
    Jan 13 13:43:42 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](access,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(access,163.150.246.27): lookup failed for user: access
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](pwrchute,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(pwrchute,163.150.246.27): lookup failed for user: pwrchute
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](account,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(account,163.150.246.27): lookup failed for user: account
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](access,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(access,163.150.246.27): lookup failed for user: access
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](account,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(account,163.150.246.27): lookup failed for user: account
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
    Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
    Jan 13 13:43:46 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](account,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(account,163.150.246.27): lookup failed for user: account
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
    Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail

  • DNS Inspect on FWSM module

    We picked up a strange problem on the FWSM . DNS Queries sent to UDP 53 for the DNS services hosted on a Linux server failed to work .
    DNS INSPECT on the Firewalls had to be turned off & DNS tests were fired again to get this working .  Is this a know problem or do we have a workaround instead of disabling the INSPECT feature .

    With the introduction of DNSsecurity large DNS requests would require authentication. This was first introduced in version 8.2 of the ASA firewall when we changed from the fixed size of 512 Bytes to Auto.
    The FWSM was left behind because it was either way going to be replaced by the ASA-SM.
    I remember this issue when the Windows Server 2008 came out.
    I would rather check exactly why the packet is being dropped with the logs rather than doing any suggestions.
    Mike

  • WRT55AG - Denial Of Service / security hole, and other issues

    Im using a V2 of the WRT55AG using 1.79 firmware.
    I suffered many perplexing issues when connected directly to my cable modem.
    1 It would lock up and no data transversed it
    2 Its web interface would no longer exist
    3 Some types of data would be blocked
    4 It would stop doing DHCP
    5 Ping times to it from the LAN side would increase in 1 minute intervals for hours or until power cycled
    6 Data rates would slow randomly.
    These problems would occur separately and in combinations. They would occur randomly but some issues would occur daily.
    Left alone the router would 100% lock up in a matter of days. This occurred 100% of the time.
    Rebooting was a daily and sometimes hourly ritual.
    After reading in many forums of the known issues with this router I purchased a BEFSR41 as replacement.
    ALL of my problem were gone. This of course isolated the issues I was having to the WRT55AG.
    I then hooked up the WRT55AG _after_ the BEFSR41.
    The problems with the WRT55AG disappeared. Completely. It suddenly worked for weeks perfectly.
    I then tried setting the BEFSR41's DMZ to the IP of the WRT55AG exposing the WRT55AG to the net directly.
    The issues returned.
    So the WRT55AG is crashing and suffering from various problems because of some hostile internet packets. Effectively it suffers major security issues and a denial of service from something that is present from the internet. I did not isolate what ports+packets were causing the DOS condition.
    Im sure the WRT55AG has some code that is vulnerable to attack because it crashes when exposed to the net. This is a serious issue.
    This is a sad state of affairs. I paid good money for the router. Its too late to get my money back. I would settle for a 802.11A WAP.
    I want a *FIX* for the obvious security hole that could expose anyone on the LAN side of the wrt55AG router to attack if the router/firewall is compromised. I want my WRT55AG to work as intended or at least as well as the BEFSR41 I own.
    I also feel if the source code was still open, then these problems would not exist. At the very least, some other 3rd party version of firmware would be available that would work in the router and any issue would get prompt attention and a quick solution from a open source team. The decision by Linksys to move away from open source firmware will erode the quality of the brand by making products less reliable.
    WHEN will a new version of the firmware be available for the WRT55AG ?
    If not how do I go about returning a well documented defectively engineered product for a product that works ?

    I would like to see a update to fix the various issues with this router. When will this be available ?
    -OR-
    If this product is considered End Of Life, I would like to get confirmation that no future firmware update will occur.
    As this product was defective out of the box and has never been fixed, I would like a replacement product please. My serial number is # MDJ106802225
    Message Edited by Xymox on 08-13-2008 11:28 AM

  • PEAP - NT Domain Denial Of Service Attack

    I'm looking for some feedback on the following percieved issue.
    Assumptions:
    1) A PEAP implementation where PEAP authentication is configured to use a static NT user/pass combination as credentials.
    2) The ACS has an unknown user policy to check the NT Domain
    3) Your NT Domain security Policy locks accounts after 5 failed attempted logings
    Queation:
    Given that PEAP does not enforce client side verification and that any XP SP1 (perhaps the CISCO ACU depending on configuration) client can attempt a PEAP login. If a client maliciously attacks by entering wrong passwords they could create a Denial Of Service (legitimate users will be locked out) attack against the NT Domain
    Thoughts?

    PEAP does not provide credential caching. Any logins to Windows NT file systems will be separate and subsequent to PEAP login.
    PEAP supports silent session resume (upon RADIUS session timeout) when only the first phase of PEAP is executed. In the second phase, the previous authentication state is reused. Hence, users will not be required to re-authenticate until the PEAP session timeout expires. The duration time of the PEAP session timeout is configurable from Cisco Secure ACS graphical user interface (GUI).
    You can find more information in this URL:
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a008010018c

  • Safari denial of service attack

    Hi all,
    We have a Linux server running the Moodle 2.x Learning Management System that authenitcates against a CAS (Central Autentication Service) server and we have an issue only with Safari browsers where they send continuous https requests to the Moodle server. We are having a hard time figuring out what is triggering it but it is happening in these operating systems that we have seen
    10.8.5
    10.9.1
    10.9.2
    10.6.8
    With these versions of Safari.
    6.1.3, 7.02, 5.1.10
    There could be other OS and Safari versions, we are not sure. We are doing a "tail -f /var/log/httpd/ssl_request_log" on the Moodle server and we'll see periodic entries like this.
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:33 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:33 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:33 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    [11/Apr/2014:11:39:33 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
    Some systems have logged a quarter of a million requests per day so it is really kicking the server's butt!
    What is even crazier is I found a professor who's computer was actively hitting the server like this and I checked his computer and he did not have any Moodle or CAS server windows or tabs open. I went through his cookies and deleted any that were related to those system and the https requests continued. Once I closed out of Safari completely the requests stopped but here is where it got even crazier, when I brought up Safari again the requests started up again and the Safari window was not even pointing to the Moodle server, it was to his default web page (Google). It makes zero sense to me.
    Almost all of our students and faculty have Macs so it is causing a mini denial of service attack. We haven't seen any issues with Chrome or Firefox.
    Any thoughts?

    You would have to instruct your users to exclude the site from their Top Sites.
    You can permanently exclude a site from your Top Sites. From the Safari menu bar, select
    History ▹ Show Top Sites
    The Top Sites window will open. Position the cursor over the preview of the site you want to exclude. After a moment, an X icon and a pushpin icon will appear in the upper left corner of the preview. Click the X icon.
    The only way to reverse this action is to reset Top Sites. To do that, select
    Safari ▹ Reset Safari...
    In the dialog that opens, check the box marked
    Reset Top Sites
    and uncheck all other boxes. Then click the Reset button. This action will remove all Top Sites and all exclusions.

  • Preventing Denial of service.

    I would like to know if there�s is good pattern for preventing Denial of service for webapplications.
    What I really wan�t is to prevent a client to post a Html form several times before the first request has finished processing.
    Any idea�s or links
    Best Regards
    Laslos

    You can use tokens to prevent re-submit of forms.
    While creating a form, create a unique key and store
    it in a session and place it in a hidden field in the
    form. While the form is submitted, check make sure the
    hiddent variable and session variable matches. If they
    match, remove the key from session and accept the
    form. If they don't, don't allow processing.
    Is this what you are looking for?
    -HiteshSounds good, but it is likely to not work well if several instances of the same servlet with the same parameters are running simultaneously. (This was the original question.) No matter how you program it there are likely to be race conditions that allow more than one of those instances to accept the form.
    Having said that, I don't have any better ideas.

Maybe you are looking for

  • 2nd time Loop error in rejection reason/changes req

    Hello experts, I have created an wf with loop step. In that loop branch,m displaying a doc in approvers inbox, then i have put a decision step with 2 button - 'Approve' and 'Changes req'. For button Changes req, loop will continue.ok In tht changes r

  • Iphone 4 - signal issues after upgrading to latest ios 6

    I upgraded to ios 6, as suggested by itunes on my iPhone 4 and that's last day i was able to make a peaceful call. My signal just goes for a toss once i make a call. I see the 3g Symbol vanishing and the other person is not able to hear me but i am a

  • IPhone5 bad system board

    Yesterday my i5 was at 40% and i decided to plug it in which i noticed it wasnt charging so i rebooted the phone but it wouldnt power back on. I did a handful of hard resets and finally got the screen to show the 'plug in to charge' icon. Im thinking

  • [Solved] cp from mount ntfs to mount ntfs-3g

    Hello. I copied some files from a harddisk mounted with the option "-t ntfs" and now want to copy them back but I have to mount with "-t ntfs-3g" to have write access. Some of the files are written in Portuguese and have special characters and accent

  • Condition on a text is corrupting the output of a smartform

    Hello Everybody, I put a condition as advised ( int_sal-sal = 0 or int_sal-kondt = 0.)but it is corrupting the output of the form , headers are coming in one page and headers in middle of the form. Why is that ? Thanks