[CentOS] saslauthd attack

Wed Feb 10 23:22:25 UTC 2010
Lincoln Zuljewic Silva <lincolnzsilva at gmail.com>

I supose that you are using SMTP authentication with SASL.

>From the log "service=smtp"...so, in fact, the attack is coming from
the SMTP server and not directly to the SASL.

I guess that someone is trying to do a brute force attack on the SMTP server.

Regards
Lincoln

On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster at ew3d.com> wrote:
> I'm seeing a lot of activity over the last two days with what looks to
> be a kiddie script. Mostly trying to access several of our servers with
> the username anna. All failed... in fact I don't think we have a user
> anna on any of our servers. Meanwhile...
>
> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
> running fail2ban on some and Ossec on others. So far, no blocking is
> being done. When I look at the logs all I find is under messages and
> here is a sample:
>
> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth         : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth         : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth         : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth         : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth         : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth         : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth         : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>
> So, I can't write a rule to block this attack as I can't find any IP
> address to block. I've looked and googled til my eyes are red and can't
> find where to set logging in saslauthd or where ever it needs to be set
> to record the IP address generating these failures. Does anyone have an
> idea?
>
> Also, some may wish to do a grep 'do_auth' on messages to see if this is
> happening to you. They sometimes come in rapid succession.
>
> John Hinton
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Lincoln Zuljewic Silva
More contact info.: http://www.system.adm.br/contact.php

"How often must a question be asked before it’s considered a
frequently asked question?"