Failed authentication logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm seeing a huge increase in the number of brute force attempts to
authenticate my mail server. Mostly the attempts are directed at SMTP,
and because I'm using the sql plugin the failed attempts result in a
auth.log entry like this:
Apr 19 23:10:42 mail sendmail[17780]: sql plugin doing query SELECT
pwd('ana','mail.example.com');;
Apr 19 23:10:42 dell2600 sendmail[17780]: sql plugin: no result found

and a maillog entry like this:
Apr 19 23:10:42 dell2600 sendmail[17770]: r3JMAfHF017770: nrhz.de
[85.214.92.29] did not issue MAIL/EXPN/VRFY/ETRN during connection to
MTA

The problem is that the auth.log does not record the IP address of the
offender, and while the maillog does the 'did not issue' string might be
legitimate.

I'm proposing to use fail2ban on the maillog, but it would be much
cleaner to monitor auth.log.

Is there any way to get the offending IP address into auth.log?

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus




[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux