[2024-12-30 19:00] "Darren S." <phatbuck...@gmail.com>
> OpenSMTPD 7.6.0
> OpenBSD 7.6 amd64
>
> I'm following a thread on the SSHGuard mailing list [1] as we're looking
> for a way of tracking credential attacks against OpenSMTPD. The switch to
> smtpd-filters(7) hasn't yet been caught up, and so there is discussion
> about how to handle that logging to identify the various authentication
> based attacks (password spraying, brute force, etc.). The outcome we're
> looking for is this: ensure that all authentication attempts against
> smtpd(8) can be found in the logs for monitoring by various agents like
> SSHGuard.
>
> Since the proper approach to integrating against OpenSMTPD logging appears
> to be using the smtpd-filters(7) API to get report events, vs. using the
> smtpd(8) syslog stream, I've checked to see what events are currently sent
> to the report filter when authentication attempts occur. I think I'm seeing
> that some failed authentication attempts that are logged by smtpd(8) in
> syslog are not currently sent to smtpd-filters(7). These are a few
> examples, with the smtpd(8) syslog events followed by associated
> smtpd-filters(7) events:
>
>
> [...]
>
> Looking at the documentation for the link-auth event, it seems like it
> should include the failed authentication events:
>
> link-auth: result username
> This event is generated upon an authentication attempt by the
> client.
>
> result contains the string "pass", "fail" or "error" depending on
> the result of the authentication attempt.
>
> username contains the username used for the authentication attempt.
>
> I'm guessing the reason it may not is because the AUTH line is a
> failed-command, maybe because the client attempted to authenticate before
> issuing STARTTLS. I also wonder if there would be issues generating those
> link-auth events when the listener is not configured for `auth`.
You are right. The link-auth event is only reported after the
authentication credentials are checked. So when authentication is
rejected (i.e. because auth is not advertised) credentials are not
checked and no event is generated.
> [...]
>
> Also as an aside, filter requests (as opposed to report events) document
> the following event, but I figure this is irrelevant as we're focused on
> report events only:
>
> auth: auth
> This request is emitted after the client has requested "AUTH".
This also doesn't help you. Because it's also only send when auth is
advertised and the client is in the correct state to auth.
> I'm wondering the best path forward here. Given the security relevance, it
> seems like we should be able to see link-auth events for successful or
> failed authentication attempts at all points; before and after STARTTLS,
> and in cases whether `auth` is enabled on a listener or not. Is this a case
> where the smtpd-filters(7) event logging should be improved in OpenSMTPD,
> or am I thinking about this wrong?
As far as I see there are currently two[0] places where auth is rejected
without a auth report. So the best way I see is to add an auth-rejected
event.
Philipp
Ps: I don't think this is security relevant, because when auth is rejected
all security relevant problems are solved.
[0] in smtp_command() after the smtp_check_auth() and in
smtp_proceed_auth() in the final else block.
>
>
> [1]
> https://sourceforge.net/p/sshguard/mailman/sshguard-users/thread/3e33398b-3e0c-359d-6a34-a081452b5e97%40tcp80.org/#msg37798632
>
> --
> Darren Spruell
> phatbuck...@gmail.com
