I use OSSEC HIDS to block brute force password attacks - and very good it is too. But recently I have been seeing a lot of attacks in the logs that have no IP address. Like this:
Nov 22 11:09:26 myserver saslauthd[4074]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 22 11:09:26 myserver saslauthd[4077]: do_auth : auth failure: [user=ruby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Because no IP address is being logged I can't create an OSSEC rule to block these.
Is there something I can do that will enable IP address logging for this kind of thing?
If there's no IP address recorded, it was possibly a local authentication attempt. "user=ruby, service=smtp" sounds like it might be a web software on your machine that is trying a local login? Do you have anything in the Apache logs at that moment?
I hope it's NOT "web software trying a local login"!
I've had a look in Apache logs - cannot see anything there at all.
Ah, but wait a minute... I do see this kind of thing that matches in /var/log/maillog
Nov 22 13:46:30 myserver postfix/smtpd[9645]: warning: unknown[66.64.x.xxx]: SASL LOGIN authentication failed: authentication failure
So I think all I need do is get OSSEC to pick up on those messages and I'll have an IP address to block!
Yepp that's right... Often you get several log entries, in different logs, for login (attempt) events, and the IP address is recorded in one or the other.