PDA

View Full Version : smtp block brute force attacks

tal56
21st June 2008, 05:12
Hi guys,

I'm getting a lot of smtp brute force attacks lately and on my /var/log/secure logs they don't even list the IP of the person trying the attacks. They look like this :

Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:27 server1 saslauthd[2048]: pam_succeed_if(smtp:auth): error retrieving information about user 123456
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2047]: pam_succeed_if(smtp:auth): error retrieving information about user notused
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2049]: pam_succeed_if(smtp:auth): error retrieving information about user Hockey

What's the best way to block these attacks? Thanks
till
21st June 2008, 11:42
If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject
falko
21st June 2008, 11:42
fail2ban:
http://www.howtoforge.com/fail2ban_debian_etch
tal56
21st June 2008, 15:53
Is there a fail2ban tutorial for Centos 5?
tal56
21st June 2008, 15:58
If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject

Till, how do I find out the IP? Normally I also see the IP on the log file, but for these there's nothing. Thanks
falko
22nd June 2008, 14:47
Is there a fail2ban tutorial for Centos 5?

Unfortunately no...
sonoracomm
28th August 2008, 22:05
Is there a fail2ban tutorial for Centos 5?

I saw this post so I put up my notes. It's not a full howto, but it's close.

I run ISPC on Centos 5.2.

http://www.sonoracomm.com/support/18-support/228-fail2ban

G
tal56
28th August 2008, 22:27
Thanks for that, I would have helped a couple weeks ealier as I finally took the plunge and installed fail2ban. It's been working great since as far as I can tell. Only banned 2 people, but haven't had much brute force attacks since I've installed. As far as I can tell it's stopped the only 2 I've got. This may be also because I've done some other stuff to secure the server too, like change ports for SSH.
Norman
28th August 2008, 22:43
I'd suggest installing ossec and allow it to handle hosts.deny file and firewall which means stuff like this will be automaticlly stopped.
sonoracomm
28th August 2008, 22:45
I have fail2ban on 3 servers. They all have SSH, two have web servers and one has mail and ftp as well.

I have 250 or more bans every day between the 3 servers!

G