On Mon, 2016-09-26 at 09:00 -0500, Dan White wrote: > On 09/26/16 03:42 +0300, Alexandru N. Barloiu via Cyrus-sasl wrote: > > > > i've been interested lately to log a little bit more about the > > entries > > that concern wrong passwords. both in cyrus and in postfix. > > We use fail2ban to block brute force attempts. > > > > > so i hacked a bit lib/server.c and plugins/plain.c to log password > > as > > well. but it's still an ugly hack. > > > > i was wondering if anyone else thought about this. i have millions > > of > > queries daily, and some are right on the money. like the right > > user, > > the right domain. and after a few weeks of trying this i figured > > out, > > sometimes they even have an old password. > > > > all sorts of weird IPs. like from china, north korea, ukraine, > > russia > > and so on. i know it's a bad idea to log passwords, but in this > > case, > > it's a good thing to know which passwords are compromised. > > How do you use logging passwords as a way to correlate a compromised > account? Isn't is sufficient just to know where where the connections > are > coming, or finding spam through some analysis? HI. Well I made something similar to fail2ban, except it doesn't ban, but greps the logs for used passwords and mails daily a list of tried passwords to each account. Therefor it's up to the users to NOT use those passwords on this server or anywhere else. Same script also mails a list of IPs from where the user succesfully logged on from so that the user can figure out if someone else has been using his account. To my suprise, my account received tries with my actual own passwords that I used in the past in various places on the internet. An old yahoo password. A password I only used in a MMORPG game online. Passwords from forums, blogs and so on. Which is somewhat scary to me. Now that I think about it, instead of logging the password and parsing logs later, perhaps it would be a better idea if cyrus-sasl would que a mail for said user when someone tries a wrong password: "hey user X. someone is trying to get into your account with password Y". Feels less like a hack. What do you think?
