remote client ip

P.A razor at meganet.net
Mon May 24 12:31:03 EDT 2010


Hi, using saslauthd 2.1.19 (cyrus-sasl-2.1.19-14) and recently I have been
hit with a lot of dictionary attacks using sasl authentication.

While looking at this issue I noticed that the sasl logs,
(/var/log/messages) is not logging the remote ip of the failed attempted. 

 

[root at mrelay3 deferred]# tail -f /var/log/messages

May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: check pass; user unknown

May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=

May 24 11:17:35 mrelay3 saslauthd[23505]: do_auth         : auth failure:
[user=freedo] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error

 

What can I do to have the remote ip show up on the logs. I have looked on
this lists archives and searched google but found nothing. If this is not
possible for some reason what is the best/recommended way about getting the
remote ip info. Also are there any options built into cyrus sasl that can
minimize dictionary attacks?

 

Thanks very much, Paul

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100524/db95e687/attachment.html 


More information about the Cyrus-sasl mailing list