saslauthd/PAM IP logging on failure
Amir 'CG' Caspi
cepheid at 3phase.com
Sat Mar 26 08:24:05 EDT 2011
Hi all,
This topic has come up before (most recently last summer -
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html),
but no resolution was ever reached and this issue has recently become
rather important for me as I've been working to secure my server.
I'm using CentOS 5 (RHEL 5) with cyrus-sasl 2.1.22-5 (the
default CentOS/RHEL release version).
Using the current codebase, when saslauthd experiences an
auth failure, it does not log the remote host IP or requested login
name. This is particularly obvious when using PAM, wherein the
failure gets logged to /var/log/secure as:
Mar 9 06:56:41 hostname saslauthd[25858]: pam_unix(smtp:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
This is a problem because these log entries are essentially useless
for automated firewalling, e.g. via fail2ban or BFD.
In looking through the code, I see that the root cause of the
issue is that auth_pam() in saslauthd/auth_pam.c does not include any
argument for the rhost, and the requested login info is also
(apparently) not passed into the proper field of the pamh structure;
thus, neither rhost nor user get recorded by PAM.
In principle, it should be possible to fill these fields in
using (for example) sasl_getprop and pam_set_item, but I am not
sufficiently well-versed in the codebase to write such a patch. (In
particular, no sasl_conn_t variable is even present in auth_pam(),
which sasl_getprop requires.)
A patch was once written for a (very old!) version of
cyrus-sasl, v1.5.24 (see
http://www.uklinux.net/software/cyrus-sasl-1.5.24-pam-rhost.patch),
but this appears to have never become a part of the official
codebase, and I haven't yet figured out how to forward-port this
patch into the current sasl code.
Has anyone here written or know of a patch for sasl to get
saslauthd (particularly using auth_pam, but also for any other auth
method) to properly record both the rhost and user fields in the
error logs? If not, would someone be willing to help craft such a
patch?
I think this would be something very important to get into
the codebase, because the PAM errors currently being recorded are of
very limited use, particularly for automated firewalls like fail2ban
or BFD.
Any help would be greatly appreciated - I would very much
like to finally be able to use fail2ban (or BFD) to kill SMTP AUTH
hack attempts.
Thanks in advance.
-- Amir
More information about the Cyrus-sasl
mailing list