Re: [vps-mail] saslauthd log information

["Bennett Lanford" <ben@xxxxxxxxxxxxx>]

ADNET Ghislain <gadnet@xxxxxxxx> said:

> Hi all,
>   
> 
>    Do you have any way on vps v1 to trace the users login on the VPS via
> smtp auth ? we had some batch of attacks on the server. For exemple
> someone dictionary attacked our logins like : info, webmaster, sales etc
> .. and used the user/pass to send bulk emails..
> 
>    I look to find a way to log all of the access but it seems to lack
> the logging feature. Anyone here met the problem ?

If your sendmail.cf's logging level is at the default (9), you should get at 
least one line in ~/var/log/messages for each successful issuance of the AUTH 
command, something like:

<XX>Mar 23 10:34:48 sendmail[10857]: AUTH=server, relay=blowfish.cox.net [167.
79.99.33], authid=ben, mech=login, bits=0

In the above, "authid" is the username used for authentication (in this case, 
"ben" was trying to authenticate), "mech" is the authentication mechanism (the 
LOGIN mechanism in this case), "relay" is the server from which the connection 
is taking place.

If you want to see more information, increase the logging level (15 is the 
highest meaningful level). In your macro configuration file:

define(`confLOG_LEVEL', `15')dnl

should show the entire SMTP conversation.

HTH

-- 
Bennett Lanford
ben@xxxxxxxxxxxxx


======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).