not even sure it's the right list
Alexandru N. Barloiu
axl at dale.ro
Mon Sep 26 11:51:42 EDT 2016
On Mon, 2016-09-26 at 09:00 -0500, Dan White wrote:
> On 09/26/16 03:42 +0300, Alexandru N. Barloiu via Cyrus-sasl wrote:
> >
> > i've been interested lately to log a little bit more about the
> > entries
> > that concern wrong passwords. both in cyrus and in postfix.
>
> We use fail2ban to block brute force attempts.
>
> >
> > so i hacked a bit lib/server.c and plugins/plain.c to log password
> > as
> > well. but it's still an ugly hack.
> >
> > i was wondering if anyone else thought about this. i have millions
> > of
> > queries daily, and some are right on the money. like the right
> > user,
> > the right domain. and after a few weeks of trying this i figured
> > out,
> > sometimes they even have an old password.
> >
> > all sorts of weird IPs. like from china, north korea, ukraine,
> > russia
> > and so on. i know it's a bad idea to log passwords, but in this
> > case,
> > it's a good thing to know which passwords are compromised.
>
> How do you use logging passwords as a way to correlate a compromised
> account? Isn't is sufficient just to know where where the connections
> are
> coming, or finding spam through some analysis?
HI.
Well I made something similar to fail2ban, except it doesn't ban, but
greps the logs for used passwords and mails daily a list of tried
passwords to each account. Therefor it's up to the users to NOT use
those passwords on this server or anywhere else. Same script also mails
a list of IPs from where the user succesfully logged on from so that
the user can figure out if someone else has been using his account.
To my suprise, my account received tries with my actual own passwords
that I used in the past in various places on the internet. An old yahoo
password. A password I only used in a MMORPG game online. Passwords
from forums, blogs and so on. Which is somewhat scary to me.
Now that I think about it, instead of logging the password and parsing
logs later, perhaps it would be a better idea if cyrus-sasl would que a
mail for said user when someone tries a wrong password: "hey user X.
someone is trying to get into your account with password Y". Feels less
like a hack. What do you think?
More information about the Cyrus-sasl
mailing list