Re: saslauthd/PAM IP logging on failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

It sounds like Sendmail isn't sending the correct data, or in the correct format. I believe sasl/saslauthd logs the remote, but I think you need to use the debug flag and have syslog configured properly to see it. 







Quoting Amir 'CG' Caspi <cepheid@xxxxxxxxxx>:


At 1:16 AM -0500 04/03/2011, Dan White wrote:
One approach might be to add an additional item to the protocol that passes the client IP on to PAM.
Right, that sounds like probably the best (perhaps only) way to do it... if saslauthd isn't even getting the remote IP, then the first step is to pass the remote IP to saslauthd, so that it can then pass it on to whichever auth method it's using (whether that's PAM, kerberos, or whatever else).
Although, that brings up a question: would sendmail then need to be modified to pass the rhost IP to saslauthd, as well? As in, would implementing this change not do anything, if sendmail isn't also modified? 


I think this is something needs to be fixed in a logical, and supportable
way.
Agreed! And, based on Google searches (and this own list's history), I know I'm not the only one who wants to see saslauthd properly logging the remote IP (whether it's via PAM or via any other authentication method). 


Is your goal to see the IP address of a failed login attempt within syslog?
Or is your ultimate goal to make use of the ip address within a pam module
to make authentication decisions?
The first one - I want to see the IP address of the failed login within syslog, so that brute-force detection utilities (e.g. fail2ban or BFD) can then use that information to ban those IPs. This would allow prevention of hack attempts or DDoS attacks automatically.
Of course, having the IP within the PAM module would obviously also allow authenatication decisions (e.g. for people who want to restrict usage to certain subnets), but my primarily goal is just getting the IP address in the logs.
(The requested username would be nice, too, since that information is already there - it's already being passed to saslauthd, but, for some reason, is also not being logged by PAM. But, the rhost IP is the paramount piece of info.
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux