not even sure it's the right list
Dan White
dwhite at olp.net
Mon Sep 26 10:00:18 EDT 2016
On 09/26/16 03:42 +0300, Alexandru N. Barloiu via Cyrus-sasl wrote:
>i've been interested lately to log a little bit more about the entries
>that concern wrong passwords. both in cyrus and in postfix.
We use fail2ban to block brute force attempts.
>so i hacked a bit lib/server.c and plugins/plain.c to log password as
>well. but it's still an ugly hack.
>
>i was wondering if anyone else thought about this. i have millions of
>queries daily, and some are right on the money. like the right user,
>the right domain. and after a few weeks of trying this i figured out,
>sometimes they even have an old password.
>
>all sorts of weird IPs. like from china, north korea, ukraine, russia
>and so on. i know it's a bad idea to log passwords, but in this case,
>it's a good thing to know which passwords are compromised.
How do you use logging passwords as a way to correlate a compromised
account? Isn't is sufficient just to know where where the connections are
coming, or finding spam through some analysis?
--
Dan White
More information about the Cyrus-sasl
mailing list