saslauthd/PAM IP logging on failure
Amir 'CG' Caspi
cepheid at 3phase.com
Sun Apr 3 03:35:12 EDT 2011
At 1:16 AM -0500 04/03/2011, Dan White wrote:
>One approach might be to add an additional item to the protocol that
>passes the client IP on to PAM.
Right, that sounds like probably the best (perhaps only) way
to do it... if saslauthd isn't even getting the remote IP, then the
first step is to pass the remote IP to saslauthd, so that it can then
pass it on to whichever auth method it's using (whether that's PAM,
kerberos, or whatever else).
Although, that brings up a question: would sendmail then need
to be modified to pass the rhost IP to saslauthd, as well? As in,
would implementing this change not do anything, if sendmail isn't
also modified?
>I think this is something needs to be fixed in a logical, and supportable
>way.
Agreed! And, based on Google searches (and this own list's
history), I know I'm not the only one who wants to see saslauthd
properly logging the remote IP (whether it's via PAM or via any other
authentication method).
>Is your goal to see the IP address of a failed login attempt within syslog?
>Or is your ultimate goal to make use of the ip address within a pam module
>to make authentication decisions?
The first one - I want to see the IP address of the failed
login within syslog, so that brute-force detection utilities (e.g.
fail2ban or BFD) can then use that information to ban those IPs.
This would allow prevention of hack attempts or DDoS attacks
automatically.
Of course, having the IP within the PAM module would
obviously also allow authenatication decisions (e.g. for people who
want to restrict usage to certain subnets), but my primarily goal is
just getting the IP address in the logs.
(The requested username would be nice, too, since that information is
already there - it's already being passed to saslauthd, but, for some
reason, is also not being logged by PAM. But, the rhost IP is the
paramount piece of info.)
Thanks. =)
--- Amir
More information about the Cyrus-sasl
mailing list