I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample: Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] So, I can't write a rule to block this attack as I can't find any IP address to block. I've looked and googled til my eyes are red and can't find where to set logging in saslauthd or where ever it needs to be set to record the IP address generating these failures. Does anyone have an idea? Also, some may wish to do a grep 'do_auth' on messages to see if this is happening to you. They sometimes come in rapid succession. John Hinton
I supose that you are using SMTP authentication with SASL.>From the log "service=smtp"...so, in fact, the attack is coming fromthe SMTP server and not directly to the SASL. I guess that someone is trying to do a brute force attack on the SMTP server. Regards Lincoln On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster at ew3d.com> wrote:> I'm seeing a lot of activity over the last two days with what looks to > be a kiddie script. Mostly trying to access several of our servers with > the username anna. All failed... in fact I don't think we have a user > anna on any of our servers. Meanwhile... > > I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also > running fail2ban on some and Ossec on others. So far, no blocking is > being done. When I look at the logs all I find is under messages and > here is a sample: > > Feb 10 05:23:08 neptune saslauthd[3370]: do_auth ? ? ? ? : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 05:23:25 neptune saslauthd[3369]: do_auth ? ? ? ? : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 05:23:58 neptune saslauthd[3370]: do_auth ? ? ? ? : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:53 neptune saslauthd[3370]: do_auth ? ? ? ? : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:54 neptune saslauthd[3368]: do_auth ? ? ? ? : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:55 neptune saslauthd[3370]: do_auth ? ? ? ? : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:59 neptune saslauthd[3368]: do_auth ? ? ? ? : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > > So, I can't write a rule to block this attack as I can't find any IP > address to block. I've looked and googled til my eyes are red and can't > find where to set logging in saslauthd or where ever it needs to be set > to record the IP address generating these failures. Does anyone have an > idea? > > Also, some may wish to do a grep 'do_auth' on messages to see if this is > happening to you. They sometimes come in rapid succession. > > John Hinton > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- Lincoln Zuljewic Silva More contact info.: http://www.system.adm.br/contact.php "How often must a question be asked before it?s considered a frequently asked question?"
John Hinton wrote:>>Yes... most of them. Just the new PITA. Anyway... I still can't seem to figure out how to log the IP addresses for this attack. << I'd use iptables to log connections on that port and then time-correlate with the log entries from saslauthd. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144
On Wed, 2010-02-10 at 15:08 -0500, John Hinton wrote:> I'm seeing a lot of activity over the last two days with what looks to > be a kiddie script. Mostly trying to access several of our servers with > the username anna. All failed... in fact I don't think we have a user > anna on any of our servers. Meanwhile... > > I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also > running fail2ban on some and Ossec on others. So far, no blocking is > being done. When I look at the logs all I find is under messages and > here is a sample: > > Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > > So, I can't write a rule to block this attack as I can't find any IP > address to block. I've looked and googled til my eyes are red and can't > find where to set logging in saslauthd or where ever it needs to be set > to record the IP address generating these failures. Does anyone have an > idea? > > Also, some may wish to do a grep 'do_auth' on messages to see if this is > happening to you. They sometimes come in rapid succession. > > John Hinton > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosIn my case the last one was on 19th of January, and came from an IP in China 118-167-9-72.dynamic.hinet.net [118.167.9.72]. Took it from /var/spool/maillog. Actually I'm running Postfix with sasl, and the portion of maillog I was looking for was: SASL LOGIN authentication failed. Don't know how it will be on sendmail, though. HTH, Calin Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857 ================================================"Does it worry you that you don't talk any kind of sense? " -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20100211/76aacda2/attachment.html>