remote client ip

Dan White dwhite at olp.net
Mon May 24 23:55:36 EDT 2010


On 24/05/10 12:31 -0400, P.A wrote:
>Hi, using saslauthd 2.1.19 (cyrus-sasl-2.1.19-14) and recently I have been
>hit with a lot of dictionary attacks using sasl authentication.
>
>While looking at this issue I noticed that the sasl logs,
>(/var/log/messages) is not logging the remote ip of the failed attempted. 
>
> 
>
>[root at mrelay3 deferred]# tail -f /var/log/messages
>
>May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: check pass; user unknown
>
>May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: authentication failure;
>logname= uid=0 euid=0 tty= ruser= rhost=
>
>May 24 11:17:35 mrelay3 saslauthd[23505]: do_auth         : auth failure:
>[user=freedo] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error

 From a cursory inspection of lib/pwcheck.c, saslauthd does not get passed
any client IP information and cannot log it or forward it to pam.

>What can I do to have the remote ip show up on the logs. I have looked on
>this lists archives and searched google but found nothing. If this is not
>possible for some reason what is the best/recommended way about getting the
>remote ip info. Also are there any options built into cyrus sasl that can
>minimize dictionary attacks?

You could investigate to see if your smtp server can log IP connection
information.

If you're using Linux, this article may be useful:

http://www.debian-administration.org/articles/187

Cyrus does have provisions for mitigating dictionary attacks which is to
specify a 'nodict' security flag, which may or may not be allowable in your
smtp server config. In postfix, it's specified as:

smtpd_sasl_security_options = nodictionary

However, that essentially just restricts your allowed authentication
mechanisms to those that are not prone to dictionary attacks, namely:

SRP
PASSDSS
EXTERNAL

(see pluginviewer)

-- 
Dan White


More information about the Cyrus-sasl mailing list