saslauthd/PAM IP logging on failure

omalleys at msu.edu omalleys at msu.edu
Mon Apr 4 08:39:45 EDT 2011 

It sounds like Sendmail isn't sending the correct data, or in the  
correct format. I believe sasl/saslauthd logs the remote, but I think  
you need to use the debug flag and have syslog configured properly to  
see it.







Quoting Amir 'CG' Caspi <cepheid at 3phase.com>:

> At 1:16 AM -0500 04/03/2011, Dan White wrote:
>> One approach might be to add an additional item to the protocol  
>> that passes the client IP on to PAM.
>
> 	Right, that sounds like probably the best (perhaps only) way to do  
> it... if saslauthd isn't even getting the remote IP, then the first  
> step is to pass the remote IP to saslauthd, so that it can then pass  
> it on to whichever auth method it's using (whether that's PAM,  
> kerberos, or whatever else).
>
> 	Although, that brings up a question: would sendmail then need to be  
> modified to pass the rhost IP to saslauthd, as well?  As in, would  
> implementing this change not do anything, if sendmail isn't also  
> modified?
>
>> I think this is something needs to be fixed in a logical, and supportable
>> way.
>
> 	Agreed!  And, based on Google searches (and this own list's  
> history), I know I'm not the only one who wants to see saslauthd  
> properly logging the remote IP (whether it's via PAM or via any  
> other authentication method).
>
>> Is your goal to see the IP address of a failed login attempt within syslog?
>> Or is your ultimate goal to make use of the ip address within a pam module
>> to make authentication decisions?
>
> 	The first one - I want to see the IP address of the failed login  
> within syslog, so that brute-force detection utilities (e.g.  
> fail2ban or BFD) can then use that information to ban those IPs.  
> This would allow prevention of hack attempts or DDoS attacks  
> automatically.
>
> 	Of course, having the IP within the PAM module would obviously also  
> allow authenatication decisions (e.g. for people who want to  
> restrict usage to certain subnets), but my primarily goal is just  
> getting the IP address in the logs.
>
> (The requested username would be nice, too, since that information  
> is already there - it's already being passed to saslauthd, but, for  
> some reason, is also not being logged by PAM.  But, the rhost IP is  
> the paramount piece of info.

More information about the Cyrus-sasl mailing list