From: "P.A" on
I apologize as I know its is somewhat off topic.



I have a postfix server running saslauthd 2.1.19 (cyrus-sasl-2.1.19-14) and
recently I have been hit with a lot of dictionary attacks using sasl
authentication.

While looking at this issue I noticed that the sasl logs,
(/var/log/messages) is not logging the remote ip of the failed attempt.



[root(a)mrelay3 deferred]# tail -f /var/log/messages

May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: check pass; user unknown

May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=

May 24 11:17:35 mrelay3 saslauthd[23505]: do_auth : auth failure:
[user=freedo] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error



What can I do to have the remote ip show up on the logs. I have looked on
this lists archives and searched google but found nothing.



Thanks paul.

From: Brian Evans - Postfix List on
On 5/24/2010 4:03 PM, P.A wrote:
>
> I apologize as I know its is somewhat off topic.
>
>
>
> I have a postfix server running saslauthd 2.1.19
> (cyrus-sasl-2.1.19-14) and recently I have been hit with a lot of
> dictionary attacks using sasl authentication.
>
> While looking at this issue I noticed that the sasl logs,
> (/var/log/messages) is not logging the remote ip of the failed attempt.
>
>
>
> [root(a)mrelay3 deferred]# tail -f /var/log/messages
>
> May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: check pass; user unknown
>
> May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=
>
> May 24 11:17:35 mrelay3 saslauthd[23505]: do_auth : auth
> failure: [user=freedo] [service=smtp] [realm=] [mech=pam] [reason=PAM
> auth error
>
>
>
> What can I do to have the remote ip show up on the logs. I have looked
> on this lists archives and searched google but found nothing.
>
>

These are PAM and cyrus logs and probably will never show an IP since
they are local to your machine.

What you should do is correlate with the mail log using the time stamps
to search for the mail transaction that provided a bad password.
Postfix always logs IPs for connections.

To control password scanners, I recommend using a log parsing program
such as fail2ban.

Brian