I'm looking for some help with this problem. I'd like to have fail2ban block systems trying to authenticate via smtp or imap. However, for known users I get:
Jan 28 13:33:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user Jan 28 13:33:37 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user and for unknown users I get: Jan 28 13:27:16 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=unknown_user rhost=189.22.108.130 so I can't key off of the pam_unix messages because that will lock out known users, and keying off of pam_sss will only block attacks that guess a correct username. Is there some way I can get pam_sss to log the unknown user attempts? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane [email protected] Boulder, CO 80301 http://www.nwra.com _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
