saslauthd/PAM IP logging on failure
omalleys at msu.edu
omalleys at msu.edu
Mon Apr 4 08:39:45 EDT 2011
It sounds like Sendmail isn't sending the correct data, or in the
correct format. I believe sasl/saslauthd logs the remote, but I think
you need to use the debug flag and have syslog configured properly to
see it.
Quoting Amir 'CG' Caspi <cepheid at 3phase.com>:
> At 1:16 AM -0500 04/03/2011, Dan White wrote:
>> One approach might be to add an additional item to the protocol
>> that passes the client IP on to PAM.
>
> Right, that sounds like probably the best (perhaps only) way to do
> it... if saslauthd isn't even getting the remote IP, then the first
> step is to pass the remote IP to saslauthd, so that it can then pass
> it on to whichever auth method it's using (whether that's PAM,
> kerberos, or whatever else).
>
> Although, that brings up a question: would sendmail then need to be
> modified to pass the rhost IP to saslauthd, as well? As in, would
> implementing this change not do anything, if sendmail isn't also
> modified?
>
>> I think this is something needs to be fixed in a logical, and supportable
>> way.
>
> Agreed! And, based on Google searches (and this own list's
> history), I know I'm not the only one who wants to see saslauthd
> properly logging the remote IP (whether it's via PAM or via any
> other authentication method).
>
>> Is your goal to see the IP address of a failed login attempt within syslog?
>> Or is your ultimate goal to make use of the ip address within a pam module
>> to make authentication decisions?
>
> The first one - I want to see the IP address of the failed login
> within syslog, so that brute-force detection utilities (e.g.
> fail2ban or BFD) can then use that information to ban those IPs.
> This would allow prevention of hack attempts or DDoS attacks
> automatically.
>
> Of course, having the IP within the PAM module would obviously also
> allow authenatication decisions (e.g. for people who want to
> restrict usage to certain subnets), but my primarily goal is just
> getting the IP address in the logs.
>
> (The requested username would be nice, too, since that information
> is already there - it's already being passed to saslauthd, but, for
> some reason, is also not being logged by PAM. But, the rhost IP is
> the paramount piece of info.
More information about the Cyrus-sasl
mailing list