saslauthd/PAM IP logging on failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

This topic has come up before (most recently last summer - http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html), but no resolution was ever reached and this issue has recently become rather important for me as I've been working to secure my server.

I'm using CentOS 5 (RHEL 5) with cyrus-sasl 2.1.22-5 (the default CentOS/RHEL release version).

Using the current codebase, when saslauthd experiences an auth failure, it does not log the remote host IP or requested login name. This is particularly obvious when using PAM, wherein the failure gets logged to /var/log/secure as:

Mar 9 06:56:41 hostname saslauthd[25858]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

This is a problem because these log entries are essentially useless for automated firewalling, e.g. via fail2ban or BFD.

In looking through the code, I see that the root cause of the issue is that auth_pam() in saslauthd/auth_pam.c does not include any argument for the rhost, and the requested login info is also (apparently) not passed into the proper field of the pamh structure; thus, neither rhost nor user get recorded by PAM.

In principle, it should be possible to fill these fields in using (for example) sasl_getprop and pam_set_item, but I am not sufficiently well-versed in the codebase to write such a patch. (In particular, no sasl_conn_t variable is even present in auth_pam(), which sasl_getprop requires.) A patch was once written for a (very old!) version of cyrus-sasl, v1.5.24 (see http://www.uklinux.net/software/cyrus-sasl-1.5.24-pam-rhost.patch), but this appears to have never become a part of the official codebase, and I haven't yet figured out how to forward-port this patch into the current sasl code.

Has anyone here written or know of a patch for sasl to get saslauthd (particularly using auth_pam, but also for any other auth method) to properly record both the rhost and user fields in the error logs? If not, would someone be willing to help craft such a patch? I think this would be something very important to get into the codebase, because the PAM errors currently being recorded are of very limited use, particularly for automated firewalls like fail2ban or BFD.

Any help would be greatly appreciated - I would very much like to finally be able to use fail2ban (or BFD) to kill SMTP AUTH hack attempts.

Thanks in advance.
						-- Amir


[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux