Authentication logs virtualmin, webmin, pop and imap

bluenor · February 10, 2025, 10:06pm

Hi everyone, I was wondering if anyone would be so kind as to tell me where I can find the authentication logs for virtualmin, webmin, pop and imap. My aim is to display failed login attempts with the relative ip addresses. I thank anyone who wants to help.

| SYSTEM INFORMATION||

|------------------------------|-------------------------------|
| OS type and version | Debian12 |
| Webmin version | 2.202 |
| Virtualmin version | 7.0.0 |
| Webserver version | 7.30.4.gpl-1 |

ID10T · February 10, 2025, 10:21pm

I don’t know the Debian 12 default logging system. Most newer Linux OS’s now use journalctl.
Note the line at the top. Pretty sure -n 100 gives the last 100 entries. If you type something into the filter you will see that line change. You can use it to tailor your input.

journalctl -n 100 -g "auth" |grep -i failure

I think fail2ban, if you are using it, has its’ own log and pretty much collects that information.
/var/log/fail2ban.log

Joe · February 11, 2025, 7:28am

Virtualmin/Webmin logs in various logs in /var/webmin. Though you’ll also see just authentication in the journal for the webmin unit for Webmin if started via the systemd unit, which looks like (for success or failure, respectively):

Feb 11 07:24:42 wp.virtualmin.com webmin[2241974]: Successful login as root from 70.117.20.17
Feb 11 07:26:16 wp.virtualmin.com webmin[2242505]: Non-existent login as doot from 70.117.20.17

POP and IMAP will be in the journal under the dovecot unit.

bluenor · February 11, 2025, 3:45pm

Thank you so much for your reply. It was much appreciated, but as I wanted to make a script based on the logs, I’m afraid I can’t use the journal without it generating a new log. Is there any way of enabling an option in webmin that writes IMAP and POP access attempts to the logs?

ID10T · February 11, 2025, 6:01pm

I still use rsyslog. I have a separate auth file.
var/log/auth.log

I’m not sure of the implications of adding it to a running system.

my /var/log/mail.info seems to have what you want for IMAP and POP.

Feb 11 12:56:45 main postfix/smtpd[2019698]: SSL_accept error from 84.112.142.210.ap.mvno.net[210.142.112.84]: lost connection
Feb 11 12:56:45 main postfix/smtpd[2019698]: lost connection after CONNECT from 84.112.142.210.ap.mvno.net[210.142.112.84]
Feb 11 12:56:45 main postfix/smtpd[2019698]: disconnect from 84.112.142.210.ap.mvno.net[210.142.112.84] commands=0/0
Feb 11 12:56:52 main postfix/smtpd[2019698]: connect from unknown[1.235.192.130]
Feb 11 12:57:00 main postfix/smtpd[2019698]: warning: SASL authentication failure: Password verification failed
Feb 11 12:57:00 main postfix/smtpd[2019698]: warning: unknown[1.235.192.130]: SASL PLAIN authentication failed: authentication failure, sasl_username=mail
Feb 11 12:57:01 main postfix/smtpd[2019698]: lost connection after AUTH from unknown[1.235.192.130]
Feb 11 12:57:01 main postfix/smtpd[2019698]: disconnect from unknown[1.235.192.130] ehlo=1 auth=0/1 commands=1/2

bluenor · February 11, 2025, 7:04pm

Unfortunately /var/log/mail.info is not present in my system. Do rsyslog track pop and imap too?

ID10T · February 11, 2025, 7:46pm

Well, it tracks Dovecot but I just don’t get a lot of dovecot login failures so I really didn’t have anything to post.

EDIT: If you want to do this straight from journalctl you might get some help at unix.com

Feb  9 00:24:01 main dovecot: imap(mit@ooo.com)<497849><N5WjzK4tIIOtW9Fj>: Connection closed (UID FETCH finished 0.158 secs ago) in=1457 out=16931 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb  9 00:24:02 main dovecot: imap-login: Login: user=<mit@ooo.com>, method=PLAIN, rip=173.91.209.99, lip=74.208.47.115, mpid=497880, TLS, session=<u3uzzK4tIoOtW9Fj>
Feb  9 00:24:02 main dovecot: imap(mit@ooo.com)<497880><u3uzzK4tIoOtW9Fj>: Connection closed (UID FETCH finished 0.137 secs ago) in=1645 out=14886 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

Joe · February 11, 2025, 10:05pm

That’s not true.

bluenor · February 12, 2025, 12:19am

Can give to me an example?

Joe · February 12, 2025, 12:29am

[root@wp webmin]# export JOURNAL=$(journalctl --since="-24h" -u webmin | grep "Non-existent login")
[root@wp webmin]# echo $JOURNAL
Feb 11 07:26:16 wp.virtualmin.com webmin[2242505]: Non-existent login as doot from 70.117.20.17

bluenor · February 12, 2025, 12:39am

Please accept my heartfelt thanks for teaching me something new that I didn’t know.

You guys are really kind and I really appreciate your patience.

system · February 20, 2025, 12:40am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.