|
Hi, using saslauthd 2.1.19 (cyrus-sasl-2.1.19-14) and
recently I have been hit with a lot of dictionary attacks using sasl
authentication. While looking at this issue I noticed that the sasl logs, (/var/log/messages)
is not logging the remote ip of the failed attempted. [root@mrelay3 deferred]# tail -f /var/log/messages May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: check pass;
user unknown May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= May 24 11:17:35 mrelay3 saslauthd[23505]:
do_auth : auth failure:
[user=freedo] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error What can I do to have the remote ip show up on the logs. I
have looked on this lists archives and searched google but found nothing. If
this is not possible for some reason what is the best/recommended way about
getting the remote ip info. Also are there any options built into cyrus sasl
that can minimize dictionary attacks? Thanks very much, Paul |
