Re: saslauthd attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Yes... most of them. Just the new PITA. Anyway... I still can't seem to 
figure out how to log the IP addresses for this attack.

The system is saslauthd running as a service... sendmail and dovecot 
setup. I have log levels in sendmail set to 14. Something has to be able 
to log the offender(s).

Any ideas what I'm missing or where to look?

John

Lincoln Zuljewic Silva wrote:
> I supose that you are using SMTP authentication with SASL.
>
> >From the log "service=smtp"...so, in fact, the attack is coming from
> the SMTP server and not directly to the SASL.
>
> I guess that someone is trying to do a brute force attack on the SMTP server.
>
> Regards
> Lincoln
>
> On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster@xxxxxxxx> wrote:
>   
>> I'm seeing a lot of activity over the last two days with what looks to
>> be a kiddie script. Mostly trying to access several of our servers with
>> the username anna. All failed... in fact I don't think we have a user
>> anna on any of our servers. Meanwhile...
>>
>> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
>> running fail2ban on some and Ossec on others. So far, no blocking is
>> being done. When I look at the logs all I find is under messages and
>> here is a sample:
>>
>> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>
>> So, I can't write a rule to block this attack as I can't find any IP
>> address to block. I've looked and googled til my eyes are red and can't
>> find where to set logging in saslauthd or where ever it needs to be set
>> to record the IP address generating these failures. Does anyone have an
>> idea?
>>
>> Also, some may wish to do a grep 'do_auth' on messages to see if this is
>> happening to you. They sometimes come in rapid succession.
>>
>> John Hinton
>> _______________________________________________
>> CentOS mailing list
>> CentOS@xxxxxxxxxx
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>     
>
>
>
>   

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux