Saslauthd & reporting connecting IP
John Straiton
jsmailing at clickcom.com
Thu Apr 17 10:22:33 EDT 2003
> > I have what seems like a simple problem I'm just not seeing the
> > answer to. I use cyrus w/ saslauthd & pam. I get a lot of syslog
> > messages like: (USERNAME used to protect the mostly-innocent)
> >
> > Apr 16 17:20:51 mx2 saslauthd[93602]: AUTHFAIL: user=USERNAME
> > service=pop realm= [PAM auth error]
> >
> > What I'd like to know is where the source of this attempt was from.
> > What IP address? It's not been a problem as of yet, but it
> might take
> > us longer than I'd like to determine the nature of a brute force
> > attack (or
> > like) with this information not readily accessable. Idealy, I'd like
> > that address in this syslog line, but if there's another means to an
> > end, that'll work too.
> >
>
> Check the logs for your pop service.
>
Sometimes it just doesn't pay to be watching a filtered version of your
syslog. Because I have like 100 rules setup in syslog-ng, I wasn't
seeing the messages coming from cyrus about "badlogin:" which is what we
really should be tracking because the facility those come in on was
filtered from my display (logged, but not on my scrolling window in my X
terminal). I was only seeing the saslauthd ones and thinking "well this
is silly...how do you know who it is..."
Thanks a lot. I knew it was something silly I was doing.
John Straiton
jks at clickcom.com
Clickcom, Inc
704-365-9970x101
More information about the Info-cyrus
mailing list