Port 20000 bad user (failed login) log?

Ron_E_James_D.O · October 6, 2025, 6:26pm

I visit https://a-domain.com:20000 and get prompted for a login. If I put thing-that-exists@that-domain.com for the login and put in a bad password I get a:

2025-10-06T11:07:21.651032-07:00 [my-local-server-name] perl: pam_unix(usermin:auth): authentication failure; logname= uid=0 euid=0 tty=20000 ruser= rhost=[IP-I-tried-from] user=[thing-that-exists@that-domain.com]

In /var/log/auth.log

However if I try:

thing-that-doesn't-exist

or:

thing-that-doesn't-exist@that-domain.com

For the login, I get no obvious corresponding log.

Where might I find one in the interest of discovering IPs trying to dictionary logins against me?

Thanks

SYSTEM INFORMATION
OS type and version	Ubuntu 24.04.3
Virtualmin version	7.40.2

Ron_E_James_D.O · October 6, 2025, 7:22pm

I see it now, they are written to:

/var/webmin/blocked
/var/usermin/blocked

as:

host [the-blocked-ip] 5 1759777456

According to the settings in Webmin → Webmin/Usermin Configuration → Authentication

(where 5 is the number of blocks and 1759777456 is the epoch time)

system · October 14, 2025, 7:23pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.