Re: [SSSD-users] pam_sss logging and fail2ban

Fri, 30 Jan 2015 07:55:52 -0800 

On 01/29/2015 01:47 AM, Sumit Bose wrote:

On Wed, Jan 28, 2015 at 03:11:15PM -0700, Orion Poplawski wrote:

I'm looking for some help with this problem.  I'd like to have fail2ban block
systems trying to authenticate via smtp or imap.  However, for known users I 
get:

Jan 28 13:33:36 mail auth: pam_unix(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130
user=known_user
Jan 28 13:33:37 mail auth: pam_sss(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 
user=known_user

and for unknown users I get:

Jan 28 13:27:16 mail auth: pam_unix(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=unknown_user rhost=189.22.108.130

so I can't key off of the pam_unix messages because that will lock out known
users, and keying off of pam_sss will only block attacks that guess a correct
username.  Is there some way I can get pam_sss to log the unknown user attempts?


How does your full pam configuration looks like. E.g. on Fedora I have a

auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success

line between pam_unix and pam_sss. Since the user is not known it will
not have a uid and not go pass this line.


auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
What you say doesn't make sense to me though. As I read the docs, if uid < 500 (as returned by pam_unix), pam_succeed_if will fail and stop pam processing, so as to prevent authenticating system users against sss. But if uid >= 500, it continues on to pam_sss. For unknown users (no uid), it would seem to me that it would have to continue on to sss, otherwise how would you authenticate users not in /etc/passwd? It just appears to me that pam_sss is not logging attempts by unknown users, and I'm not sure why. 

--
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  [email protected]
Boulder, CO 80301              http://www.cora.nwra.com
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to