I have been using the PAM (pam_exim) authentication to do SMTP
authentication for user on my server against /etc/passwd and
/etc/shadow. Things were fine until I saw a suspicious entry in the
log today. It's pasted below...
2003-12-21 20:31:57 login authenticator failed for (dfasfd-vojmlg22) [218.70.9.128]: 535 Incorrect authentication data (set_id=webmaster)
2003-12-21 20:32:02 login authenticator failed for (dfasfd-vojmlg22) [218.70.9.128]: 535 Incorrect authentication data (set_id=webmaster)
2003-12-21 20:32:12 1AY55v-00011s-Eq <= ameill3@??? H=(dfasfd-vojmlg22) [218.70.9.128] P=asmtp A=login:webmaster S=253
2003-12-21 20:32:15 1AY55v-00011s-Eq => ameill2@??? R=dnslookup T=remote_smtp H=mail-g2.chinadns.com [211.154.211.77]
2003-12-21 20:32:15 1AY55v-00011s-Eq Completed
2003-12-21 20:32:16 no host name found for IP address 218.70.9.128
2003-12-21 20:32:25 login authenticator failed for (dfasfd-vojmlg22) [218.70.9.128]: 535 Incorrect authentication data (set_id=webmaster)
2003-12-21 20:32:30 login authenticator failed for (dfasfd-vojmlg22) [218.70.9.128]: 535 Incorrect authentication data (set_id=webmaster)
The interesting observation here is that the smtp auth successfully
authenticated user "webmaster" who is non-existent on my machine. Somehow
the spammer has been able to do so only once, there are many more
un-successful attempts from the same ip (which I haven't pasted).
After the above episode I started to suspect my SMTP auth configuration
(pasted below).
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1
This config is a copy from the web-link
http://www.e-admin.de/pam_exim/configuration.html , apparently used by
the author of the pam_exim module.
I would be of great help if someone can tell me if this config is fine,
or is the culprit? Another config which I got from Suresh Ramasubramian
is also produced below.
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}
server_set_id = $1
This config I guess checks for null strings in the SMTP auth and
prevents such authentication from being successful.
I can use any inputs people might have on the proper use of pam_exim, or
any compelling reason why I should not be using PAM at all (which by
reputation I believe is one of the most insecure pieces of software).
The reason why I was pushed into using pam was that I need
authentication against /etc/passwd & /etc/shadow. I know of the other
trick in which a crond job can be used to make a readable copy of
/etc/shadow for exim, however that solution does have a passwd update
delay of x mins to which we set the cron. I was thinking if it would
help coding a daemon which watches /etc/shadow and makes a readable copy
for exim, the moment the file is modified (though any such software
would be considered a security breach outright). If it does make sense
may be I can wear my developer hat and get on it :-D.
Any inputs/suggestions would be appreciated.
Thank you.
--
CCK./ kanth@??? <http://hserus.net/~cck>
"Passion and gradualness" -- Pavlov.