How is SMTP authentication logging controlled?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I get a ton of failed SMTP login attempts. I'd really like to defend against it, but the logging of those attempts is poor.



I'm using sendmail 8.15, cyrus-sasl 2.1.26. The SASL setup is the simplest way, defaults all around, authenticating with pam_unix.



I get log messages like this a lot:



saslauthd[8292]: pam_unix(smtp:auth): check pass; user unknown
saslauthd[8292]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
saslauthd[8292]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
saslauthd[8292]: do_auth : auth failure: [user=colby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]


This means that while I know bogus attempts to login are happening, I can't really do anything about it, like have fail2ban jail them.



I can't really tell if the problem is that Sendmail is telling pam_unix things, and it's dumping them, or if sendmail isn't telling pam about where the attempt is being made.



What I want is for auth attempts to be logged with the ip address where it came from, so if there are a lot of failures, fail2ban can jail the IP.



Sorry this is a kind of broad question, but for the life of me, I can't figure out how to control the logging in any of sendmail, cyrus-sasl or pam_unix, or if the programs even try to log the right thing.









share

























    up vote
    0
    down vote

    favorite












    I get a ton of failed SMTP login attempts. I'd really like to defend against it, but the logging of those attempts is poor.



    I'm using sendmail 8.15, cyrus-sasl 2.1.26. The SASL setup is the simplest way, defaults all around, authenticating with pam_unix.



    I get log messages like this a lot:



    saslauthd[8292]: pam_unix(smtp:auth): check pass; user unknown
    saslauthd[8292]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    saslauthd[8292]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
    saslauthd[8292]: do_auth : auth failure: [user=colby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]


    This means that while I know bogus attempts to login are happening, I can't really do anything about it, like have fail2ban jail them.



    I can't really tell if the problem is that Sendmail is telling pam_unix things, and it's dumping them, or if sendmail isn't telling pam about where the attempt is being made.



    What I want is for auth attempts to be logged with the ip address where it came from, so if there are a lot of failures, fail2ban can jail the IP.



    Sorry this is a kind of broad question, but for the life of me, I can't figure out how to control the logging in any of sendmail, cyrus-sasl or pam_unix, or if the programs even try to log the right thing.









    share























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I get a ton of failed SMTP login attempts. I'd really like to defend against it, but the logging of those attempts is poor.



      I'm using sendmail 8.15, cyrus-sasl 2.1.26. The SASL setup is the simplest way, defaults all around, authenticating with pam_unix.



      I get log messages like this a lot:



      saslauthd[8292]: pam_unix(smtp:auth): check pass; user unknown
      saslauthd[8292]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
      saslauthd[8292]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
      saslauthd[8292]: do_auth : auth failure: [user=colby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]


      This means that while I know bogus attempts to login are happening, I can't really do anything about it, like have fail2ban jail them.



      I can't really tell if the problem is that Sendmail is telling pam_unix things, and it's dumping them, or if sendmail isn't telling pam about where the attempt is being made.



      What I want is for auth attempts to be logged with the ip address where it came from, so if there are a lot of failures, fail2ban can jail the IP.



      Sorry this is a kind of broad question, but for the life of me, I can't figure out how to control the logging in any of sendmail, cyrus-sasl or pam_unix, or if the programs even try to log the right thing.









      share













      I get a ton of failed SMTP login attempts. I'd really like to defend against it, but the logging of those attempts is poor.



      I'm using sendmail 8.15, cyrus-sasl 2.1.26. The SASL setup is the simplest way, defaults all around, authenticating with pam_unix.



      I get log messages like this a lot:



      saslauthd[8292]: pam_unix(smtp:auth): check pass; user unknown
      saslauthd[8292]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
      saslauthd[8292]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
      saslauthd[8292]: do_auth : auth failure: [user=colby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]


      This means that while I know bogus attempts to login are happening, I can't really do anything about it, like have fail2ban jail them.



      I can't really tell if the problem is that Sendmail is telling pam_unix things, and it's dumping them, or if sendmail isn't telling pam about where the attempt is being made.



      What I want is for auth attempts to be logged with the ip address where it came from, so if there are a lot of failures, fail2ban can jail the IP.



      Sorry this is a kind of broad question, but for the life of me, I can't figure out how to control the logging in any of sendmail, cyrus-sasl or pam_unix, or if the programs even try to log the right thing.







      pam sendmail sasl





      share












      share










      share



      share










      asked 2 mins ago









      Hack Saw

      64938




      64938

























          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f480000%2fhow-is-smtp-authentication-logging-controlled%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f480000%2fhow-is-smtp-authentication-logging-controlled%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?