saslauthd attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I'm seeing a lot of activity over the last two days with what looks to 
be a kiddie script. Mostly trying to access several of our servers with 
the username anna. All failed... in fact I don't think we have a user 
anna on any of our servers. Meanwhile...

I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also 
running fail2ban on some and Ossec on others. So far, no blocking is 
being done. When I look at the logs all I find is under messages and 
here is a sample:

Feb 10 05:23:08 neptune saslauthd[3370]: do_auth         : auth failure: 
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 05:23:25 neptune saslauthd[3369]: do_auth         : auth failure: 
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 05:23:58 neptune saslauthd[3370]: do_auth         : auth failure: 
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:53 neptune saslauthd[3370]: do_auth         : auth failure: 
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:54 neptune saslauthd[3368]: do_auth         : auth failure: 
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:55 neptune saslauthd[3370]: do_auth         : auth failure: 
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:59 neptune saslauthd[3368]: do_auth         : auth failure: 
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]

So, I can't write a rule to block this attack as I can't find any IP 
address to block. I've looked and googled til my eyes are red and can't 
find where to set logging in saslauthd or where ever it needs to be set 
to record the IP address generating these failures. Does anyone have an 
idea?

Also, some may wish to do a grep 'do_auth' on messages to see if this is 
happening to you. They sometimes come in rapid succession.

John Hinton
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux