On 24/05/10 12:31 -0400, P.A wrote:
Hi, using saslauthd 2.1.19 (cyrus-sasl-2.1.19-14) and recently I have been
hit with a lot of dictionary attacks using sasl authentication.
While looking at this issue I noticed that the sasl logs,
(/var/log/messages) is not logging the remote ip of the failed attempted.
[root@mrelay3 deferred]# tail -f /var/log/messages
May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: check pass; user unknown
May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=
May 24 11:17:35 mrelay3 saslauthd[23505]: do_auth : auth failure:
[user=freedo] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error
From a cursory inspection of lib/pwcheck.c, saslauthd does not get passed
any client IP information and cannot log it or forward it to pam.
What can I do to have the remote ip show up on the logs. I have looked on
this lists archives and searched google but found nothing. If this is not
possible for some reason what is the best/recommended way about getting the
remote ip info. Also are there any options built into cyrus sasl that can
minimize dictionary attacks?
You could investigate to see if your smtp server can log IP connection
information.
If you're using Linux, this article may be useful:
http://www.debian-administration.org/articles/187
Cyrus does have provisions for mitigating dictionary attacks which is to
specify a 'nodict' security flag, which may or may not be allowable in your
smtp server config. In postfix, it's specified as:
smtpd_sasl_security_options = nodictionary
However, that essentially just restricts your allowed authentication
mechanisms to those that are not prone to dictionary attacks, namely:
SRP
PASSDSS
EXTERNAL
(see pluginviewer)
--
Dan White
