Failed authentication logging
Charles Bradshaw
brad at bradcan.homelinux.com
Sat Apr 20 05:51:38 EDT 2013
I'm seeing a huge increase in the number of brute force attempts to
authenticate my mail server. Mostly the attempts are directed at SMTP,
and because I'm using the sql plugin the failed attempts result in a
auth.log entry like this:
Apr 19 23:10:42 mail sendmail[17780]: sql plugin doing query SELECT
pwd('ana','mail.example.com');;
Apr 19 23:10:42 dell2600 sendmail[17780]: sql plugin: no result found
and a maillog entry like this:
Apr 19 23:10:42 dell2600 sendmail[17770]: r3JMAfHF017770: nrhz.de
[85.214.92.29] did not issue MAIL/EXPN/VRFY/ETRN during connection to
MTA
The problem is that the auth.log does not record the IP address of the
offender, and while the maillog does the 'did not issue' string might be
legitimate.
I'm proposing to use fail2ban on the maillog, but it would be much
cleaner to monitor auth.log.
Is there any way to get the offending IP address into auth.log?
More information about the Info-cyrus
mailing list