saslauthd/PAM IP logging on failure

Amir 'CG' Caspi cepheid at 3phase.com
Sat Mar 26 08:24:05 EDT 2011 

Hi all,

	This topic has come up before (most recently last summer - 
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html), 
but no resolution was ever reached and this issue has recently become 
rather important for me as I've been working to secure my server.

	I'm using CentOS 5 (RHEL 5) with cyrus-sasl 2.1.22-5 (the 
default CentOS/RHEL release version).

	Using the current codebase, when saslauthd experiences an 
auth failure, it does not log the remote host IP or requested login 
name.  This is particularly obvious when using PAM, wherein the 
failure gets logged to /var/log/secure as:

Mar 9 06:56:41 hostname saslauthd[25858]: pam_unix(smtp:auth): 
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

This is a problem because these log entries are essentially useless 
for automated firewalling, e.g. via fail2ban or BFD.

	In looking through the code, I see that the root cause of the 
issue is that auth_pam() in saslauthd/auth_pam.c does not include any 
argument for the rhost, and the requested login info is also 
(apparently) not passed into the proper field of the pamh structure; 
thus, neither rhost nor user get recorded by PAM.

	In principle, it should be possible to fill these fields in 
using (for example) sasl_getprop and pam_set_item, but I am not 
sufficiently well-versed in the codebase to write such a patch.  (In 
particular, no sasl_conn_t variable is even present in auth_pam(), 
which sasl_getprop requires.)
	A patch was once written for a (very old!) version of 
cyrus-sasl, v1.5.24 (see 
http://www.uklinux.net/software/cyrus-sasl-1.5.24-pam-rhost.patch), 
but this appears to have never become a part of the official 
codebase, and I haven't yet figured out how to forward-port this 
patch into the current sasl code.

	Has anyone here written or know of a patch for sasl to get 
saslauthd (particularly using auth_pam, but also for any other auth 
method) to properly record both the rhost and user fields in the 
error logs?  If not, would someone be willing to help craft such a 
patch?
	I think this would be something very important to get into 
the codebase, because the PAM errors currently being recorded are of 
very limited use, particularly for automated firewalls like fail2ban 
or BFD.

	Any help would be greatly appreciated - I would very much 
like to finally be able to use fail2ban (or BFD) to kill SMTP AUTH 
hack attempts.

Thanks in advance.
						-- Amir

More information about the Cyrus-sasl mailing list