Perhaps you can use netstat to identify who is currently connected to the machine. Then run it several times over a short period and block the most likely culprits ? John Hinton wrote: > Yes... most of them. Just the new PITA. Anyway... I still can't seem to > figure out how to log the IP addresses for this attack. > > The system is saslauthd running as a service... sendmail and dovecot > setup. I have log levels in sendmail set to 14. Something has to be able > to log the offender(s). > > Any ideas what I'm missing or where to look? > > John > > Lincoln Zuljewic Silva wrote: > >> I supose that you are using SMTP authentication with SASL. >> >> >From the log "service=smtp"...so, in fact, the attack is coming from >> the SMTP server and not directly to the SASL. >> >> I guess that someone is trying to do a brute force attack on the SMTP server. >> >> Regards >> Lincoln >> >> On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster@xxxxxxxx> wrote: >> >> >>> I'm seeing a lot of activity over the last two days with what looks to >>> be a kiddie script. Mostly trying to access several of our servers with >>> the username anna. All failed... in fact I don't think we have a user >>> anna on any of our servers. Meanwhile... >>> >>> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also >>> running fail2ban on some and Ossec on others. So far, no blocking is >>> being done. When I look at the logs all I find is under messages and >>> here is a sample: >>> >>> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: >>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] >>> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: >>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] >>> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: >>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] >>> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: >>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] >>> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: >>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] >>> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: >>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] >>> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: >>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] >>> >>> So, I can't write a rule to block this attack as I can't find any IP >>> address to block. I've looked and googled til my eyes are red and can't >>> find where to set logging in saslauthd or where ever it needs to be set >>> to record the IP address generating these failures. Does anyone have an >>> idea? >>> >>> Also, some may wish to do a grep 'do_auth' on messages to see if this is >>> happening to you. They sometimes come in rapid succession. >>> >>> John Hinton >>> _______________________________________________ >>> CentOS mailing list >>> CentOS@xxxxxxxxxx >>> http://lists.centos.org/mailman/listinfo/centos >>> >>> >>> >> >> >> > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos