On Wed, 2010-02-10 at 22:33 -0500, John Hinton wrote:
Yes... most of them. Just the new PITA. Anyway... I still can't seem to figure out how to log the IP addresses for this attack.
The system is saslauthd running as a service... sendmail and dovecot setup. I have log levels in sendmail set to 14. Something has to be able to log the offender(s).
Any ideas what I'm missing or where to look?
John
Lincoln Zuljewic Silva wrote:
I supose that you are using SMTP authentication with SASL.
From the log "service=smtp"...so, in fact, the attack is coming from
the SMTP server and not directly to the SASL.
I guess that someone is trying to do a brute force attack on the SMTP server.
Regards Lincoln
On Wed, Feb 10, 2010 at 6:08 PM, John Hinton webmaster@ew3d.com wrote:
I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile...
I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample:
<snip>
I use denyhosts which has worked well for me. I have two IPs which have been under attack mostly on ssh, some on dovecot, periodically for the last six weeks. Offending IPs are logged when blocked, but they just switch IPs as well as login user names.
At least with denyhosts the IPs are readily available.
Cheers. B.J.
CentOS 5.4, Linux 2.6.18-164.11.1.el5 athlon 05:24:40 up 9:38, 1 user, load average: 0.33, 0.17, 0.19