I'm looking for some help with this problem. I'd like to have fail2ban block systems trying to authenticate via smtp or imap. However, for known users I get:
Jan 28 13:33:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user Jan 28 13:33:37 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user
and for unknown users I get:
Jan 28 13:27:16 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=unknown_user rhost=189.22.108.130
so I can't key off of the pam_unix messages because that will lock out known users, and keying off of pam_sss will only block attacks that guess a correct username. Is there some way I can get pam_sss to log the unknown user attempts?
On Wed, Jan 28, 2015 at 03:11:15PM -0700, Orion Poplawski wrote:
I'm looking for some help with this problem. I'd like to have fail2ban block systems trying to authenticate via smtp or imap. However, for known users I get:
Jan 28 13:33:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user Jan 28 13:33:37 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user
and for unknown users I get:
Jan 28 13:27:16 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=unknown_user rhost=189.22.108.130
so I can't key off of the pam_unix messages because that will lock out known users, and keying off of pam_sss will only block attacks that guess a correct username. Is there some way I can get pam_sss to log the unknown user attempts?
How does your full pam configuration looks like. E.g. on Fedora I have a
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
line between pam_unix and pam_sss. Since the user is not known it will not have a uid and not go pass this line.
HTH
bye, Sumit
-- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 01/29/2015 01:47 AM, Sumit Bose wrote:
On Wed, Jan 28, 2015 at 03:11:15PM -0700, Orion Poplawski wrote:
I'm looking for some help with this problem. I'd like to have fail2ban block systems trying to authenticate via smtp or imap. However, for known users I get:
Jan 28 13:33:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user Jan 28 13:33:37 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user
and for unknown users I get:
Jan 28 13:27:16 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=unknown_user rhost=189.22.108.130
so I can't key off of the pam_unix messages because that will lock out known users, and keying off of pam_sss will only block attacks that guess a correct username. Is there some way I can get pam_sss to log the unknown user attempts?
How does your full pam configuration looks like. E.g. on Fedora I have a
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
line between pam_unix and pam_sss. Since the user is not known it will not have a uid and not go pass this line.
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
What you say doesn't make sense to me though. As I read the docs, if uid < 500 (as returned by pam_unix), pam_succeed_if will fail and stop pam processing, so as to prevent authenticating system users against sss. But if uid >= 500, it continues on to pam_sss. For unknown users (no uid), it would seem to me that it would have to continue on to sss, otherwise how would you authenticate users not in /etc/passwd? It just appears to me that pam_sss is not logging attempts by unknown users, and I'm not sure why.
On 01/30/2015 10:54 AM, Orion Poplawski wrote:
On 01/29/2015 01:47 AM, Sumit Bose wrote:
On Wed, Jan 28, 2015 at 03:11:15PM -0700, Orion Poplawski wrote:
I'm looking for some help with this problem. I'd like to have fail2ban block systems trying to authenticate via smtp or imap. However, for known users I get:
Jan 28 13:33:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user Jan 28 13:33:37 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user
and for unknown users I get:
Jan 28 13:27:16 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=unknown_user rhost=189.22.108.130
so I can't key off of the pam_unix messages because that will lock out known users, and keying off of pam_sss will only block attacks that guess a correct username. Is there some way I can get pam_sss to log the unknown user attempts?
How does your full pam configuration looks like. E.g. on Fedora I have a
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
line between pam_unix and pam_sss. Since the user is not known it will not have a uid and not go pass this line.
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
What you say doesn't make sense to me though. As I read the docs, if uid < 500 (as returned by pam_unix), pam_succeed_if will fail and stop pam processing, so as to prevent authenticating system users against sss. But if uid >= 500, it continues on to pam_sss. For unknown users (no uid), it would seem to me that it would have to continue on to sss, otherwise how would you authenticate users not in /etc/passwd? It just appears to me that pam_sss is not logging attempts by unknown users, and I'm not sure why.
May be at this point it would make sense to file a ticket so that we have it recorded and provide a more formal investigation.
On (30/01/15 08:54), Orion Poplawski wrote:
On 01/29/2015 01:47 AM, Sumit Bose wrote:
On Wed, Jan 28, 2015 at 03:11:15PM -0700, Orion Poplawski wrote:
I'm looking for some help with this problem. I'd like to have fail2ban block systems trying to authenticate via smtp or imap. However, for known users I get:
Jan 28 13:33:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user Jan 28 13:33:37 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 user=known_user
and for unknown users I get:
Jan 28 13:27:16 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=unknown_user rhost=189.22.108.130
so I can't key off of the pam_unix messages because that will lock out known users, and keying off of pam_sss will only block attacks that guess a correct username. Is there some way I can get pam_sss to log the unknown user attempts?
How does your full pam configuration looks like. E.g. on Fedora I have a
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
line between pam_unix and pam_sss. Since the user is not known it will not have a uid and not go pass this line.
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
What you say doesn't make sense to me though. As I read the docs, if uid < 500 (as returned by pam_unix), pam_succeed_if will fail and stop pam processing, so as to prevent authenticating system users against sss. But if uid >= 500, it continues on to pam_sss. For unknown users (no uid), it would seem to me that it would have to continue on to sss, otherwise how would you authenticate users not in /etc/passwd? It just appears to me that pam_sss is not logging attempts by unknown users, and I'm not sure why.
pam_succeed_if calls getpwnam (pam_modutil_getpwnam) getpwnam uses files and sssd (I hope you have configured nsswith with sss :-) if getpwnam fails (user is not found in files or sssd) then module pam_succeed_if will fail. It will return pam error PAM_USER_UNKNOWN
You should be able to see message in syslog if you use argument audit in module pam_succeed_if. man pam_succeed_if -> audit
Message: "error retrieving information about user %s"
HTH
LS
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
Lukas Slebodnik -
Orion Poplawski -
Sumit Bose