[CentOS] saslauthd attack

Thu Feb 11 06:18:37 UTC 2010
kalinix <calin.kalinix.cosma at gmail.com>

On Wed, 2010-02-10 at 15:08 -0500, John Hinton wrote:

> I'm seeing a lot of activity over the last two days with what looks to 
> be a kiddie script. Mostly trying to access several of our servers with 
> the username anna. All failed... in fact I don't think we have a user 
> anna on any of our servers. Meanwhile...
> 
> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also 
> running fail2ban on some and Ossec on others. So far, no blocking is 
> being done. When I look at the logs all I find is under messages and 
> here is a sample:
> 
> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth         : auth failure: 
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth         : auth failure: 
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth         : auth failure: 
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth         : auth failure: 
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth         : auth failure: 
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth         : auth failure: 
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth         : auth failure: 
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> 
> So, I can't write a rule to block this attack as I can't find any IP 
> address to block. I've looked and googled til my eyes are red and can't 
> find where to set logging in saslauthd or where ever it needs to be set 
> to record the IP address generating these failures. Does anyone have an 
> idea?
> 
> Also, some may wish to do a grep 'do_auth' on messages to see if this is 
> happening to you. They sometimes come in rapid succession.
> 
> John Hinton
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos


In my case the last one was on 19th of January, and came from an IP in
China 118-167-9-72.dynamic.hinet.net [118.167.9.72]. Took it
from /var/spool/maillog.

Actually I'm running Postfix with sasl, and the portion of maillog I was
looking for was: SASL LOGIN authentication failed. Don't know how it
will be on sendmail, though.

HTH,


Calin

Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857

=================================================
"Does it worry you that you don't talk any kind of sense? "
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20100211/76aacda2/attachment-0004.html>