On Wed, Jan 28, 2015 at 03:11:15PM -0700, Orion Poplawski wrote:
I'm looking for some help with this problem. I'd like to
have fail2ban block
systems trying to authenticate via smtp or imap. However, for known users I get:
Jan 28 13:33:36 mail auth: pam_unix(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130
user=known_user
Jan 28 13:33:37 mail auth: pam_sss(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user
and for unknown users I get:
Jan 28 13:27:16 mail auth: pam_unix(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=unknown_user rhost=189.22.108.130
so I can't key off of the pam_unix messages because that will lock out known
users, and keying off of pam_sss will only block attacks that guess a correct
username. Is there some way I can get pam_sss to log the unknown user attempts?
How does your full pam configuration looks like. E.g. on Fedora I have a
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
line between pam_unix and pam_sss. Since the user is not known it will
not have a uid and not go pass this line.
HTH
bye,
Sumit
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
http://www.nwra.com
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users