[CentOS] saslauthd attack

Thu Feb 11 03:48:05 UTC 2010
Clint Dilks <clintd at scms.waikato.ac.nz>

Perhaps you can use netstat to identify who is currently connected to 
the machine.  Then run it several times over a short period and block 
the most likely culprits ?


John Hinton wrote:
> Yes... most of them. Just the new PITA. Anyway... I still can't seem to 
> figure out how to log the IP addresses for this attack.
>
> The system is saslauthd running as a service... sendmail and dovecot 
> setup. I have log levels in sendmail set to 14. Something has to be able 
> to log the offender(s).
>
> Any ideas what I'm missing or where to look?
>
> John
>
> Lincoln Zuljewic Silva wrote:
>   
>> I supose that you are using SMTP authentication with SASL.
>>
>> >From the log "service=smtp"...so, in fact, the attack is coming from
>> the SMTP server and not directly to the SASL.
>>
>> I guess that someone is trying to do a brute force attack on the SMTP server.
>>
>> Regards
>> Lincoln
>>
>> On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster at ew3d.com> wrote:
>>   
>>     
>>> I'm seeing a lot of activity over the last two days with what looks to
>>> be a kiddie script. Mostly trying to access several of our servers with
>>> the username anna. All failed... in fact I don't think we have a user
>>> anna on any of our servers. Meanwhile...
>>>
>>> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
>>> running fail2ban on some and Ossec on others. So far, no blocking is
>>> being done. When I look at the logs all I find is under messages and
>>> here is a sample:
>>>
>>> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth         : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth         : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth         : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth         : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth         : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth         : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth         : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>>
>>> So, I can't write a rule to block this attack as I can't find any IP
>>> address to block. I've looked and googled til my eyes are red and can't
>>> find where to set logging in saslauthd or where ever it needs to be set
>>> to record the IP address generating these failures. Does anyone have an
>>> idea?
>>>
>>> Also, some may wish to do a grep 'do_auth' on messages to see if this is
>>> happening to you. They sometimes come in rapid succession.
>>>
>>> John Hinton
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>>     
>>>       
>>
>>   
>>     
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>