Should I worry about imap connections from an unknown IP?

[Vatoloco]

I'm the only person with access to my server. I don't do any reselling. In my logwatch last night I had this entry:

--------------------- Connections (secure-log) Begin ------------------------

Connections:
Service imap:
69.56.245.114: 2 Time(s)
127.0.0.1: 176 Time(s)


I have no idea who's IP the 69.56.245.114 is. It's a webhost in texas (theplanet.com) which is far away from me.

 

[digitard]

It may be a wrong connection attempt, who knows.

I recommend though, just to play it safe, maybe reset your password to something that uses lower case, capital and numbers (I even add special characters such as @) to minimize the risk or something guessing your passcode.

 

[Vatoloco]

It may be a wrong connection attempt, who knows.

I recommend though, just to play it safe, maybe reset your password to something that uses lower case, capital and numbers (I even add special characters such as @) to minimize the risk or something guessing your passcode.

Do invalid logins show up there also? For some reason I was thinking that if they show up in that log in means they were successful connections.

I do have a good password and I'm very careful with security so I think it's unlikely that anyone would be able to get ahold of it or brute-force their way in.

 

[digitard]

I think it shows any connection... cause even if the password/username is wrong it still has to make a successful connection to the server before it can query the username/pass.

I haven't really checked my logs a lot lately (just pay attention mainly to BFD bans and things).

One thing you may wanna do, if you haven't already, is run APF + BFD. I'm sure you're familiar with the APF firewall. There's an addition called BFD which will ban people for attempting to connect to your box with random usernames/passes. I get like 30 bans a day...lol.

You acn get info up in that 'beginners guide to securing your server' thread if ya dont already have it.

 

[Vatoloco]

I guess I need to get BFD installed. Usually the only thing in this log is 127.0.0.1 and every now and then maybe one other that tried to connect once. The last couple of days though it's been full of them and looked like this:

--------------------- Connections (secure-log) Begin ------------------------ 

Connections:
   Service imap:
      60.164.127.2: 2 Time(s)
      67.15.62.16: 420 Time(s)
      81.220.165.125: 2 Time(s)
      82.48.107.11: 2 Time(s)
      82.56.16.189: 2 Time(s)
      82.56.20.227: 2 Time(s)
      82.67.210.110: 2 Time(s)
      83.50.98.133: 2 Time(s)
      84.0.246.135: 2 Time(s)
      84.97.58.52: 2 Time(s)
      84.121.70.190: 2 Time(s)
      84.164.95.209: 3 Time(s)
      86.125.16.122: 2 Time(s)
      127.0.0.1: 173 Time(s)
      134.39.120.248: 1 Time(s)
      218.7.13.217: 2 Time(s)
      218.16.129.221: 2 Time(s)
      222.11.219.8: 1 Time(s)
      222.83.232.234: 2 Time(s)
      222.86.62.33: 2 Time(s)
      222.95.172.54: 2 Time(s)

How do you tell if a connection was actually successful and not just an invalid log-in attempt?

 

[chirpy]

You can check in /var/log/maillog where the imap connections are logged.