On Wed, Jan 28, 2015 at 03:11:15PM -0700, Orion Poplawski wrote: > I'm looking for some help with this problem. I'd like to have fail2ban block > systems trying to authenticate via smtp or imap. However, for known users I > get: > > Jan 28 13:33:36 mail auth: pam_unix(dovecot:auth): authentication failure; > logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 > user=known_user > Jan 28 13:33:37 mail auth: pam_sss(dovecot:auth): authentication failure; > logname= uid=0 euid=0 tty=dovecot ruser=frank rhost=189.22.108.130 > user=known_user > > and for unknown users I get: > > Jan 28 13:27:16 mail auth: pam_unix(dovecot:auth): authentication failure; > logname= uid=0 euid=0 tty=dovecot ruser=unknown_user rhost=189.22.108.130 > > so I can't key off of the pam_unix messages because that will lock out known > users, and keying off of pam_sss will only block attacks that guess a correct > username. Is there some way I can get pam_sss to log the unknown user > attempts?
How does your full pam configuration looks like. E.g. on Fedora I have a auth requisite pam_succeed_if.so uid >= 1000 quiet_success line between pam_unix and pam_sss. Since the user is not known it will not have a uid and not go pass this line. HTH bye, Sumit > > -- > Orion Poplawski > Technical Manager 303-415-9701 x222 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane [email protected] > Boulder, CO 80301 http://www.nwra.com > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
