getting the ip address of failed authentications
Michael Grant
passwords via smtp. I see them in the logs like this:
Sep 25 12:37:32 charm sm-mta[81136]: m8PGbR9N081136: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication
failure: checkpass failed
Sep 25 12:37:33 charm sm-mta[81136]: m8PGbR9N081136:
cr-1-2-3-4.netvisao.pt [1.2.3.4] did not issue MAIL/EXPN/VRFY/ETRN
during connection to MTA
and in the authlog I see this:
/var/log/auth.log:Sep 25 12:37:32 charm saslauthd[974]:
do_auth : auth failure: [user=someone] [service=smtp] [realm=]
[mech=pam] [reason=PAM auth error]
When logins via ssh or ftp fail, I get the IP address along with the
username attempted in the auth.log, Sendmail (or is it cyrus sasl?)
isn't logging this info in the auth.log.
Is there anyway to get sendmail to log the ip address and attempted
user in the auth.log upon a failed authentication?
Michael Grant
Grant Taylor
> Is there anyway to get sendmail to log the ip address and attempted
> user in the auth.log upon a failed authentication?
I don't think there will be an easy way to do what you are wanting to
do. Mainly this is because Sendmail takes the UN and PW pair and passes
it off to Cyrus SASL to have it validate the UN and PW pair. So when
Cyrus SASL attempts to validate the UN and PW and fails, it logs the
information that it has and then returns the result to Sendmail.
Sendmail then logs that the authentication failed. So you have your
information, it's just split up across two different log files with out
any good correlation between them.
About the only thing that I can think to suggest is to find a way to get
Sendmail to log the UN that it passes to Cyrus SASL. At least that way
you would have the time stamp and the UN to correlate the mail and auth
logs with each other.
Question: Why are you wanting to know the user name that was tried? Is
the fact that an authentication failure (one or more) enough in mail
logs, or are you looking for something more specific or across multiple
log entries?
Grant. . . .
Michael Grant
I suspect you are correct. In order to get this info, I'll just have
to write some script to put things together.
I want to do this so I can block these ankle biters in the firewall.
It's not so much the username I'm concerned with, it's the ip address
and the fact that it's an authentication failure and it's different
user names over and over again. This information is spread across at
least 2 lines in the maillog. In the auth log, for the other programs
like ssh and ftp, it's neatly on one line. I'll write a little script
that watches the maillog and then logs the info to the auth.log.
Thanks for your reply.
Michael
Carl Byington
Hash: SHA1
On Fri, 26 Sep 2008 00:01:47 -0700, Michael Grant wrote:
> I'm seeing more and more people (spammers?) trying to guess at passwords
> via smtp. I see them in the logs like this:
> Sep 25 12:37:32 charm sm-mta[81136]: m8PGbR9N081136: AUTH failure
> (LOGIN):
> authentication failure (-13) SASL(-13): authentication failure: checkpass
> failed
> Sep 25 12:37:33 charm sm-mta[81136]: m8PGbR9N081136:
> cr-1-2-3-4.netvisao.pt [1.2.3.4] did not issue MAIL/EXPN/VRFY/ETRN during
> connection to MTA
This might require a higher logging level, but I see:
authentication failure: checkpass failed
lost input channel from name [ip] to MTA after auth
name [ip] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
If almost all of your (spammer) authentication failures have that second
log entry, you could key off that for firewall blocking, since it includes
the ip address.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFI3V26L6j7milTFsERAstMAJ0eQmo9IpUtxUAT+IB5pW+Gkw0yNgCeMMBM
bpQUctbv+4i1FkoQCiJiCws=
=zo2w
-----END PGP SIGNATURE-----