Show username for "SASL LOGIN authentication failed:"?
Hi. When an user inputs an incorrect password, I have the following message in the logs: mx1 postfix/smtpd[1069]: warning: unknown[89.xx.xx.xx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Which is perfectly normal. But how can I also show the username that was tried in the logs? I want to see: 1. Which user keeps entering the wrong password. 2. What user is someone else trying to hijack. I need this because a user of mine was hijacked a few days ago. I have fail2ban installed and working (banning IPs for 1 hour after 10 incorrect passwords), but looking through the logs in the last month I realized this might have been a distributed attack actually. Running postfix 2.5.9. Thanks!
Re: Show username for "SASL LOGIN authentication failed:"?
Bogdan Enache: > Hi. > When an user inputs an incorrect password, I have the following message > in the logs: > mx1 postfix/smtpd[1069]: warning: unknown[89.xx.xx.xx]: SASL LOGIN > authentication failed: UGFzc3dvcmQ6 > Which is perfectly normal. 'UGFzc3dvcmQ6' decodes into 'Password:'. That's part of the SASL LOGIN protocol. There are a dozen different protocols, and those protocols are implemented by the Cyrus SASL library or Dovecot authentication server. Postfix normally retrieves the username from the Cyrus SASL library AFTER successful authentication. The libsasl "documentation" does not promise that such information is available after login failure. > But how can I also show the username that was tried in the logs? I want > to see: > 1. Which user keeps entering the wrong password. > 2. What user is someone else trying to hijack. This requires adding code that looks up the username after authentication failure, and finding out whether that information is available at all. Another approach would be to rate-limit AUTH commands (by duplicating the code for rate-limiting the STARTTLS command). That would stop a dictionary attack from one bad client, but not from a botnet. Or, one could run a network sniffer and rip the information from the TCP packets. Wietse
Re: Show username for "SASL LOGIN authentication failed:"?
On 08 Jun 2013, at 04:09 , Bogdan Enache wrote: > But how can I also show the username that was tried in the logs? I want > to see: > 1. Which user keeps entering the wrong password. > 2. What user is someone else trying to hijack. Are you using courier authlib? It has a DEBUG_LOGIN setting which will put the login AND password in the logs. I believe it will log incorrect password attempts as well. > I have fail2ban installed and working (banning IPs for 1 hour after 10 > incorrect passwords) 10? That seems overly generous. My fail2ban was set at 1 hour for 3 failed attempts and a day for 10. -- NO ONE WANTS TO HEAR FROM MY ARMPITS Bart chalkboard Ep. 3F01
Re: Show username for "SASL LOGIN authentication failed:"?
Bogdan Enache skrev den 2013-06-08 12:09: mx1 postfix/smtpd[1069]: warning: unknown[89.xx.xx.xx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Which is perfectly normal. normal in what way ? i have seen this here aswell with that user But how can I also show the username that was tried in the logs? I want to see: 1. Which user keeps entering the wrong password. UGFzc3dvcmQ6 is a user that uses somekind of tor networking where port 25 is not gething direct, so we all see him using more then one ip in postfix 2. What user is someone else trying to hijack. UGFzc3dvcmQ6 is the user that try to use your postfix to sendmail, it does not matter if that user is not local, its the auth you see trying being abused on your host i have seen at most 10 failed logins here for that user, so pretty common here as well i have limited it here to remove sasl auth on port 25, and on port 587 i have limited ipranges to just be the networking users is on, this stops it very well for me I need this because a user of mine was hijacked a few days ago. I have fail2ban installed and working (banning IPs for 1 hour after 10 incorrect passwords), but looking through the logs in the last month I realized this might have been a distributed attack actually. UGFzc3dvcmQ6 make a fail2ban rule to catch this in logs, and make it perm firewalled, not just let fail2ban do its work Running postfix 2.5.9. pretty old :) -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Show username for "SASL LOGIN authentication failed:"?
Benny Pedersen: > Bogdan Enache skrev den 2013-06-08 12:09: > > > mx1 postfix/smtpd[1069]: warning: unknown[89.xx.xx.xx]: SASL LOGIN > > authentication failed: UGFzc3dvcmQ6 > > Which is perfectly normal. > > normal in what way ? > > i have seen this here aswell with that user > > > But how can I also show the username that was tried in the logs? I > > want > > to see: > > 1. Which user keeps entering the wrong password. > > UGFzc3dvcmQ6 is a user that uses somekind of tor networking where port > 25 is not gething direct, so we all see him using more then one ip in > postfix In this universe, the string 'UGFzc3dvcmQ6' is the base64-encoded value of the string 'Password:'. Wietse
Re: Show username for "SASL LOGIN authentication failed:"?
Hi list. On 09.06.2013 03:35, LuKreme wrote: > On 08 Jun 2013, at 04:09 , Bogdan Enache wrote: > >> But how can I also show the username that was tried in the logs? I want >> to see: >> 1. Which user keeps entering the wrong password. >> 2. What user is someone else trying to hijack. > Are you using courier authlib? > > It has a DEBUG_LOGIN setting which will put the login AND password in the > logs. I believe it will log incorrect password attempts as well. No, I'm using Dovecot SASL login. > >> I have fail2ban installed and working (banning IPs for 1 hour after 10 >> incorrect passwords) > 10? That seems overly generous. > > My fail2ban was set at 1 hour for 3 failed attempts and a day for 10. > Unfortunately if I try lowering it from 10 to 3 I will receive like 20 phone calls a day about users that don't know how to check when CAPS LOCK is on or off. So I guess it's not easily doable using Dovecot SALS, right? Thanks!
Re: Show username for "SASL LOGIN authentication failed:"?
On 2013-06-08 6:09 AM, Bogdan Enache wrote:
But how can I also show the username that was tried in the logs? I want
to see:
1. Which user keeps entering the wrong password.
2. What user is someone else trying to hijack.
Since you left out the critical fact that you are using dovecot sasl, I
didn't respond to this.
Dovecot uses login_log_format_elements to determine what it logs for
login attempts... you'll find the variables it supports here:
http://wiki2.dovecot.org/Variables?highlight=%28login_log_format_elements%29
Mine (which logs the username) looks like:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
mpid=%e %c session=<%{session}>
Hope this helps...
Charles
Re: Show username for "SASL LOGIN authentication failed:"?
On Sunday, June 9, 2013 at 10:09 PM, Charles Marcus wrote:
>
> Dovecot uses login_log_format_elements to determine what it logs for
> login attempts... you'll find the variables it supports here:
>
> http://wiki2.dovecot.org/Variables?highlight=%28login_log_format_elements%29
>
> Mine (which logs the username) looks like:
>
> login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
> mpid=%e %c session=<%{session}>
>
This works for IMAP/POP3/Managesieve services provided by Dovecot, and
logged in Dovecot log file, but it won't appear in Postfix/Dovecot log files for
SMTP service.
Zhang Huangbin
iRedMail: free, open source mail server solution for Red Hat
Enterprise Linux, CentOS, Scientific Linux, Debian, Ubuntu,
openSUSE, FreeBSD, OpenBSD. http://www.iredmail.org/
Re: Show username for "SASL LOGIN authentication failed:"?
On Sun, 09 Jun 2013 16:44:13 +0300 Bogdan Enache articulated: > Unfortunately if I try lowering it from 10 to 3 I will receive like 20 > phone calls a day about users that don't know how to check when CAPS > LOCK is on or off. 20 calls from 20,000 users would be insignificant. From 100 users, a troubling amount. Install an automated answering system to handle routine calls like that. As far as determining if the CAPS LOCK is set, there is one thing I have learned in life, "You cannot fix stupid." You are always going to have a percentage of users who cannot chew gum and walk at the same time. -- Jerry ✌ postfix-u...@seibercom.net _ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Re: Show username for "SASL LOGIN authentication failed:"?
On 2013-06-09 10:34 AM, Zhang Huangbin wrote:
On Sunday, June 9, 2013 at 10:09 PM, Charles Marcus wrote:
Dovecot uses login_log_format_elements to determine what it logs for
login attempts... you'll find the variables it supports here:
http://wiki2.dovecot.org/Variables?highlight=%28login_log_format_elements%29
Mine (which logs the username) looks like:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
mpid=%e %c session=<%{session}>
This works for IMAP/POP3/Managesieve services provided by Dovecot, and
logged in Dovecot log file, but it won't appear in Postfix/Dovecot log files for
SMTP service.
Hmmm... well, I definitely see the usernames on my system (postfix+dovecot) for
both successful and unsuccessful logins...
successful login:
2013-06-09T10:50:38-04:00 myhost postfix-587/smtpd[5807]: E9482B73AF4:
client=client.example.com[192.168.1.110], sasl_method=PLAIN,
sasl_username=myu...@example.com
bad password:
2013-06-09T11:02:38-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:02:38-04:00 myhost dovecot: auth-worker(5904):
sql(validu...@example.com,###.###.###.###): Password mismatch
invalid username:
2013-06-09T11:01:45-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:01:50-04:00 myhost dovecot: auth-worker(5904):
sql(invalidu...@example.com,###.###.###.###): unknown user
So, it is possible...
Re: Show username for "SASL LOGIN authentication failed:"?
Hi.
On 09.06.2013 18:12, Charles Marcus wrote:
> On 2013-06-09 10:34 AM, Zhang Huangbin wrote:
>> On Sunday, June 9, 2013 at 10:09 PM, Charles Marcus wrote:
>>> Dovecot uses login_log_format_elements to determine what it logs for
>>> login attempts... you'll find the variables it supports here:
>>>
>>> http://wiki2.dovecot.org/Variables?highlight=%28login_log_format_elements%29
>>>
>>>
>>> Mine (which logs the username) looks like:
>>>
>>> login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
>>> mpid=%e %c session=<%{session}>
>
>> This works for IMAP/POP3/Managesieve services provided by Dovecot, and
>> logged in Dovecot log file, but it won't appear in Postfix/Dovecot
>> log files for
>> SMTP service.
>
> Hmmm... well, I definitely see the usernames on my system
> (postfix+dovecot) for both successful and unsuccessful logins...
>
> successful login:
>
> 2013-06-09T10:50:38-04:00 myhost postfix-587/smtpd[5807]: E9482B73AF4:
> client=client.example.com[192.168.1.110], sasl_method=PLAIN,
> sasl_username=myu...@example.com
>
> bad password:
>
> 2013-06-09T11:02:38-04:00 myhost postfix-587/smtpd[5903]: connect from
> myclient.example.com[###.###.###.###]
> 2013-06-09T11:02:38-04:00 myhost dovecot: auth-worker(5904):
> sql(validu...@example.com,###.###.###.###): Password mismatch
>
> invalid username:
>
> 2013-06-09T11:01:45-04:00 myhost postfix-587/smtpd[5903]: connect from
> myclient.example.com[###.###.###.###]
> 2013-06-09T11:01:50-04:00 myhost dovecot: auth-worker(5904):
> sql(invalidu...@example.com,###.###.###.###): unknown user
>
> So, it is possible...
>
I just enabled "login_log_format_elements" as:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
service=%s mpid=%e %c session=<%{session}>
I get more info than usual (service, mpid, session) but still nothing
for smtp. Clearly, I'm missing something. Probably my dovecot/postfix
combo is too old.
Re: Show username for "SASL LOGIN authentication failed:"?
On 2013-06-10 4:57 PM, Bogdan Enache wrote:
Hi.
On 09.06.2013 18:12, Charles Marcus wrote:
On 2013-06-09 10:34 AM, Zhang Huangbin wrote:
On Sunday, June 9, 2013 at 10:09 PM, Charles Marcus wrote:
Dovecot uses login_log_format_elements to determine what it logs for
login attempts... you'll find the variables it supports here:
http://wiki2.dovecot.org/Variables?highlight=%28login_log_format_elements%29
Mine (which logs the username) looks like:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
mpid=%e %c session=<%{session}>
This works for IMAP/POP3/Managesieve services provided by Dovecot, and
logged in Dovecot log file, but it won't appear in Postfix/Dovecot
log files for
SMTP service.
Hmmm... well, I definitely see the usernames on my system
(postfix+dovecot) for both successful and unsuccessful logins...
successful login:
2013-06-09T10:50:38-04:00 myhost postfix-587/smtpd[5807]: E9482B73AF4:
client=client.example.com[192.168.1.110], sasl_method=PLAIN,
sasl_username=myu...@example.com
bad password:
2013-06-09T11:02:38-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:02:38-04:00 myhost dovecot: auth-worker(5904):
sql(validu...@example.com,###.###.###.###): Password mismatch
invalid username:
2013-06-09T11:01:45-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:01:50-04:00 myhost dovecot: auth-worker(5904):
sql(invalidu...@example.com,###.###.###.###): unknown user
So, it is possible...
I just enabled "login_log_format_elements" as:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
service=%s mpid=%e %c session=<%{session}>
I get more info than usual (service, mpid, session) but still nothing
for smtp. Clearly, I'm missing something. Probably my dovecot/postfix
combo is too old.
How old?
Anyway, I just went back and looked, and I believe to get the username
you also have to add:
protocol smtp {
auth_verbose = yes
}
But mine is 2.1.16, soon to be 2.2...
--
Best regards,
Charles
Re: Show username for "SASL LOGIN authentication failed:"?
On 2013-06-10 5:25 PM, Charles Marcus wrote:
On 2013-06-10 4:57 PM, Bogdan Enache wrote:
Hi.
On 09.06.2013 18:12, Charles Marcus wrote:
On 2013-06-09 10:34 AM, Zhang Huangbin
wrote:
On Sunday, June 9, 2013 at 10:09 PM, Charles Marcus wrote:
Dovecot uses login_log_format_elements to determine what it logs for
login attempts... you'll find the variables it supports here:
http://wiki2.dovecot.org/Variables?highlight=%28login_log_format_elements%29
Mine (which logs the username) looks like:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
mpid=%e %c session=<%{session}>
This works for IMAP/POP3/Managesieve services provided by Dovecot, and
logged in Dovecot log file, but it won't appear in Postfix/Dovecot
log files for
SMTP service.
Hmmm... well, I definitely see the usernames on my system
(postfix+dovecot) for both successful and unsuccessful logins...
successful login:
2013-06-09T10:50:38-04:00 myhost postfix-587/smtpd[5807]: E9482B73AF4:
client=client.example.com[192.168.1.110], sasl_method=PLAIN,
sasl_username=myu...@example.com
bad password:
2013-06-09T11:02:38-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:02:38-04:00 myhost dovecot: auth-worker(5904):
sql(validu...@example.com,###.###.###.###): Password mismatch
invalid username:
2013-06-09T11:01:45-04:00 myhost postfix-587/smtpd[5903]: connect from
myclient.example.com[###.###.###.###]
2013-06-09T11:01:50-04:00 myhost dovecot: auth-worker(5904):
sql(invalidu...@example.com,###.###.###.###): unknown user
So, it is possible...
I just enabled "login_log_format_elements" as:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport}
service=%s mpid=%e %c session=<%{session}>
I get more info than usual (service, mpid, session) but still nothing
for smtp. Clearly, I'm missing something. Probably my dovecot/postfix
combo is too old.
How old?
Anyway, I just went back and looked, and I believe to get the username
you also have to add:
protocol smtp {
auth_verbose = yes
}
But mine is 2.1.16, soon to be 2.2...
sorry - that needs to be added to your dovecot config, not postfix... ;)
--
Best regards,
Charles
