Dan great info, what I ended up doing is making sure ntpd was running and look at the maillog's timestamps for the ip. I also ended up using pam tally to disabled any account name that has X number of failed logins along with disabling VRFY on the mail server. I think should help me. Thanks for all that responded. -----Original Message----- From: Dan White [mailto:dwhite@xxxxxxx] Sent: Monday, May 24, 2010 11:56 PM To: P.A Cc: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx Subject: Re: remote client ip On 24/05/10 12:31 -0400, P.A wrote: >Hi, using saslauthd 2.1.19 (cyrus-sasl-2.1.19-14) and recently I have been >hit with a lot of dictionary attacks using sasl authentication. > >While looking at this issue I noticed that the sasl logs, >(/var/log/messages) is not logging the remote ip of the failed attempted. > > > >[root@mrelay3 deferred]# tail -f /var/log/messages > >May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: check pass; user unknown > >May 24 11:17:33 mrelay3 smtp(pam_unix)[23505]: authentication failure; >logname= uid=0 euid=0 tty= ruser= rhost= > >May 24 11:17:35 mrelay3 saslauthd[23505]: do_auth : auth failure: >[user=freedo] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error From a cursory inspection of lib/pwcheck.c, saslauthd does not get passed any client IP information and cannot log it or forward it to pam. >What can I do to have the remote ip show up on the logs. I have looked on >this lists archives and searched google but found nothing. If this is not >possible for some reason what is the best/recommended way about getting the >remote ip info. Also are there any options built into cyrus sasl that can >minimize dictionary attacks? You could investigate to see if your smtp server can log IP connection information. If you're using Linux, this article may be useful: http://www.debian-administration.org/articles/187 Cyrus does have provisions for mitigating dictionary attacks which is to specify a 'nodict' security flag, which may or may not be allowable in your smtp server config. In postfix, it's specified as: smtpd_sasl_security_options = nodictionary However, that essentially just restricts your allowed authentication mechanisms to those that are not prone to dictionary attacks, namely: SRP PASSDSS EXTERNAL (see pluginviewer) -- Dan White
