On Wed, 2010-02-10 at 15:08 -0500, John Hinton wrote: > I'm seeing a lot of activity over the last two days with what looks to > be a kiddie script. Mostly trying to access several of our servers with > the username anna. All failed... in fact I don't think we have a user > anna on any of our servers. Meanwhile... > > I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also > running fail2ban on some and Ossec on others. So far, no blocking is > being done. When I look at the logs all I find is under messages and > here is a sample: > > Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: > [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] > > So, I can't write a rule to block this attack as I can't find any IP > address to block. I've looked and googled til my eyes are red and can't > find where to set logging in saslauthd or where ever it needs to be set > to record the IP address generating these failures. Does anyone have an > idea? > > Also, some may wish to do a grep 'do_auth' on messages to see if this is > happening to you. They sometimes come in rapid succession. > > John Hinton > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos In my case the last one was on 19th of January, and came from an IP in China 118-167-9-72.dynamic.hinet.net [118.167.9.72]. Took it from /var/spool/maillog. Actually I'm running Postfix with sasl, and the portion of maillog I was looking for was: SASL LOGIN authentication failed. Don't know how it will be on sendmail, though. HTH, Calin Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857 ================================================= "Does it worry you that you don't talk any kind of sense? " -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20100211/76aacda2/attachment-0005.html>