I supose that you are using SMTP authentication with SASL. >From the log "service=smtp"...so, in fact, the attack is coming from the SMTP server and not directly to the SASL. I guess that someone is trying to do a brute force attack on the SMTP server. Regards Lincoln On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster@xxxxxxxx> wrote: > I'm seeing a lot of activity over the last two days with what looks to > be a kiddie script. Mostly trying to access several of our servers with > the username anna. All failed... in fact I don't think we have a user > anna on any of our servers. Meanwhile... > > I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also > running fail2ban on some and Ossec on others. So far, no blocking is > being done. When I look at the logs all I find is under messages and > here is a sample: > > Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > > So, I can't write a rule to block this attack as I can't find any IP > address to block. I've looked and googled til my eyes are red and can't > find where to set logging in saslauthd or where ever it needs to be set > to record the IP address generating these failures. Does anyone have an > idea? > > Also, some may wish to do a grep 'do_auth' on messages to see if this is > happening to you. They sometimes come in rapid succession. > > John Hinton > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > -- Lincoln Zuljewic Silva More contact info.: http://www.system.adm.br/contact.php "How often must a question be asked before it’s considered a frequently asked question?" _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos