On Wed, 26 Apr 2017, Jobst Schmalenbach wrote:
On Tue, Apr 25, 2017 at 07:14:56PM -0700, Gordon Messmer (gordon.messmer@xxxxxxxxx) wrote:
On 04/25/2017 07:00 PM, Jobst Schmalenbach wrote:
What I want is the IP address and if possible the incorrect password (just
to see how far they are off). Is this possible?
I hope not. That's a terrible idea. Every time a user fat-fingers their
password, your plain-text logs have a copy of their almost-correct
password.
As always there are tradeoffs ...
I have a reasonable strict password policy, so by looking at the failed
passwords I can see how far the tries are off the real thing, so it actually
is a good thing for me. Also I learn which passwords are used for cracking,
which again is a good thing. As for the logged passwords - this is a non
user server, only two people have access ... so reading the logs is
difficult for imap/sendmail users in the company ...
Sorry, listen to Gordon; this is a terrible idea.
You accept a certain amount of password leakage into log files as hard to
avoid (a user puts their password into a username field without noticing), but
deliberately logging typoed passwords, or indeed valid passwords but for the
wrong account into a log file, so you can keep an eye on what's being used is
a step beyond simple bad practice.
If you have a strict password policy, then you should have mechanisms in place
to enforce it, but not human ones.
jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
