saslauthd/PAM IP logging on failure
Amir 'CG' Caspi
cepheid at 3phase.com
Sat Apr 2 22:29:54 EDT 2011
Hi all,
Just wondering if anyone might have any ideas for this one.
I've been reading through the code but haven't yet figured out how to
get auth_pam() access to the rhost IP.
Hopefully someone has either implemented this or has ideas...
Thanks!
--- Amir
At 4:24 AM -0800 03/26/2011, Amir 'CG' Caspi wrote:
>Hi all,
>
> This topic has come up before (most recently last summer -
>http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html),
>but no resolution was ever reached and this issue has recently
>become rather important for me as I've been working to secure my
>server.
>
> I'm using CentOS 5 (RHEL 5) with cyrus-sasl 2.1.22-5 (the
>default CentOS/RHEL release version).
>
> Using the current codebase, when saslauthd experiences an
>auth failure, it does not log the remote host IP or requested login
>name. This is particularly obvious when using PAM, wherein the
>failure gets logged to /var/log/secure as:
>
>Mar 9 06:56:41 hostname saslauthd[25858]: pam_unix(smtp:auth):
>authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>
>This is a problem because these log entries are essentially useless
>for automated firewalling, e.g. via fail2ban or BFD.
>
> In looking through the code, I see that the root cause of the
>issue is that auth_pam() in saslauthd/auth_pam.c does not include
>any argument for the rhost, and the requested login info is also
>(apparently) not passed into the proper field of the pamh structure;
>thus, neither rhost nor user get recorded by PAM.
>
> In principle, it should be possible to fill these fields in
>using (for example) sasl_getprop and pam_set_item, but I am not
>sufficiently well-versed in the codebase to write such a patch. (In
>particular, no sasl_conn_t variable is even present in auth_pam(),
>which sasl_getprop requires.)
> A patch was once written for a (very old!) version of
>cyrus-sasl, v1.5.24 (see
>http://www.uklinux.net/software/cyrus-sasl-1.5.24-pam-rhost.patch),
>but this appears to have never become a part of the official
>codebase, and I haven't yet figured out how to forward-port this
>patch into the current sasl code.
>
> Has anyone here written or know of a patch for sasl to get
>saslauthd (particularly using auth_pam, but also for any other auth
>method) to properly record both the rhost and user fields in the
>error logs? If not, would someone be willing to help craft such a
>patch?
> I think this would be something very important to get into
>the codebase, because the PAM errors currently being recorded are of
>very limited use, particularly for automated firewalls like fail2ban
>or BFD.
>
> Any help would be greatly appreciated - I would very much
>like to finally be able to use fail2ban (or BFD) to kill SMTP AUTH
>hack attempts.
>
>Thanks in advance.
> -- Amir
More information about the Cyrus-sasl
mailing list