How is SMTP authentication logging controlled?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I get a ton of failed SMTP login attempts. I'd really like to defend against it, but the logging of those attempts is poor.
I'm using sendmail 8.15, cyrus-sasl 2.1.26. The SASL setup is the simplest way, defaults all around, authenticating with pam_unix.
I get log messages like this a lot:
saslauthd[8292]: pam_unix(smtp:auth): check pass; user unknown
saslauthd[8292]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
saslauthd[8292]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
saslauthd[8292]: do_auth : auth failure: [user=colby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
This means that while I know bogus attempts to login are happening, I can't really do anything about it, like have fail2ban jail them.
I can't really tell if the problem is that Sendmail is telling pam_unix things, and it's dumping them, or if sendmail isn't telling pam about where the attempt is being made.
What I want is for auth attempts to be logged with the ip address where it came from, so if there are a lot of failures, fail2ban can jail the IP.
Sorry this is a kind of broad question, but for the life of me, I can't figure out how to control the logging in any of sendmail, cyrus-sasl or pam_unix, or if the programs even try to log the right thing.
pam sendmail sasl
add a comment |Â
up vote
0
down vote
favorite
I get a ton of failed SMTP login attempts. I'd really like to defend against it, but the logging of those attempts is poor.
I'm using sendmail 8.15, cyrus-sasl 2.1.26. The SASL setup is the simplest way, defaults all around, authenticating with pam_unix.
I get log messages like this a lot:
saslauthd[8292]: pam_unix(smtp:auth): check pass; user unknown
saslauthd[8292]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
saslauthd[8292]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
saslauthd[8292]: do_auth : auth failure: [user=colby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
This means that while I know bogus attempts to login are happening, I can't really do anything about it, like have fail2ban jail them.
I can't really tell if the problem is that Sendmail is telling pam_unix things, and it's dumping them, or if sendmail isn't telling pam about where the attempt is being made.
What I want is for auth attempts to be logged with the ip address where it came from, so if there are a lot of failures, fail2ban can jail the IP.
Sorry this is a kind of broad question, but for the life of me, I can't figure out how to control the logging in any of sendmail, cyrus-sasl or pam_unix, or if the programs even try to log the right thing.
pam sendmail sasl
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I get a ton of failed SMTP login attempts. I'd really like to defend against it, but the logging of those attempts is poor.
I'm using sendmail 8.15, cyrus-sasl 2.1.26. The SASL setup is the simplest way, defaults all around, authenticating with pam_unix.
I get log messages like this a lot:
saslauthd[8292]: pam_unix(smtp:auth): check pass; user unknown
saslauthd[8292]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
saslauthd[8292]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
saslauthd[8292]: do_auth : auth failure: [user=colby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
This means that while I know bogus attempts to login are happening, I can't really do anything about it, like have fail2ban jail them.
I can't really tell if the problem is that Sendmail is telling pam_unix things, and it's dumping them, or if sendmail isn't telling pam about where the attempt is being made.
What I want is for auth attempts to be logged with the ip address where it came from, so if there are a lot of failures, fail2ban can jail the IP.
Sorry this is a kind of broad question, but for the life of me, I can't figure out how to control the logging in any of sendmail, cyrus-sasl or pam_unix, or if the programs even try to log the right thing.
pam sendmail sasl
I get a ton of failed SMTP login attempts. I'd really like to defend against it, but the logging of those attempts is poor.
I'm using sendmail 8.15, cyrus-sasl 2.1.26. The SASL setup is the simplest way, defaults all around, authenticating with pam_unix.
I get log messages like this a lot:
saslauthd[8292]: pam_unix(smtp:auth): check pass; user unknown
saslauthd[8292]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
saslauthd[8292]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
saslauthd[8292]: do_auth : auth failure: [user=colby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
This means that while I know bogus attempts to login are happening, I can't really do anything about it, like have fail2ban jail them.
I can't really tell if the problem is that Sendmail is telling pam_unix things, and it's dumping them, or if sendmail isn't telling pam about where the attempt is being made.
What I want is for auth attempts to be logged with the ip address where it came from, so if there are a lot of failures, fail2ban can jail the IP.
Sorry this is a kind of broad question, but for the life of me, I can't figure out how to control the logging in any of sendmail, cyrus-sasl or pam_unix, or if the programs even try to log the right thing.
pam sendmail sasl
pam sendmail sasl
asked 2 mins ago
Hack Saw
64938
64938
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f480000%2fhow-is-smtp-authentication-logging-controlled%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password