From: "P.A" on 24 May 2010 16:03 I apologize as I know its is somewhat off topic. I have a postfix server running saslauthd 2.1.19 (cyrus-sasl-2.1.19-14) and recently I have been hit with a lot of dictionary attacks using sasl authentication. While looking at this issue I noticed that the sasl logs, (/var/log/messages) is not logging the remote ip of the failed attempt. [root(a)mrelay3 deferred]# tail -f /var/log/messages May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: check pass; user unknown May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= May 24 11:17:35 mrelay3 saslauthd[23505]: do_auth : auth failure: [user=freedo] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error What can I do to have the remote ip show up on the logs. I have looked on this lists archives and searched google but found nothing. Thanks paul.
From: Brian Evans - Postfix List on 24 May 2010 16:19 On 5/24/2010 4:03 PM, P.A wrote: > > I apologize as I know its is somewhat off topic. > > > > I have a postfix server running saslauthd 2.1.19 > (cyrus-sasl-2.1.19-14) and recently I have been hit with a lot of > dictionary attacks using sasl authentication. > > While looking at this issue I noticed that the sasl logs, > (/var/log/messages) is not logging the remote ip of the failed attempt. > > > > [root(a)mrelay3 deferred]# tail -f /var/log/messages > > May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: check pass; user unknown > > May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost= > > May 24 11:17:35 mrelay3 saslauthd[23505]: do_auth : auth > failure: [user=freedo] [service=smtp] [realm=] [mech=pam] [reason=PAM > auth error > > > > What can I do to have the remote ip show up on the logs. I have looked > on this lists archives and searched google but found nothing. > > These are PAM and cyrus logs and probably will never show an IP since they are local to your machine. What you should do is correlate with the mail log using the time stamps to search for the mail transaction that provided a bad password. Postfix always logs IPs for connections. To control password scanners, I recommend using a log parsing program such as fail2ban. Brian
|
Pages: 1 Prev: Mail filters not running behind a controlled enviornment Next: wildcard domains |