HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Mail server attack (http://www.howtoforge.com/forums/showthread.php?t=17438)

princebenin 18th November 2007 21:35

Mail server attack
 
Hello,

In spite of the installation of "Blockhost" "I still continuous be the target of attack, can someone help me?.

Extract of /var/log/auth.log
Code:

Nov 18 13:32:32 myserver saslauthd[2620]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:32:34 myserver saslauthd[2620]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:32:34 myserver saslauthd[2620]: do_auth        : auth failure: [user=passwd] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:32:40 myserver saslauthd[2622]: (pam_unix) check pass; user unknown
Nov 18 13:32:40 myserver saslauthd[2622]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:32:42 myserver saslauthd[2622]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:32:42 myserver saslauthd[2622]: do_auth        : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:32:47 myserver saslauthd[2618]: (pam_unix) check pass; user unknown
Nov 18 13:32:47 myserver saslauthd[2618]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:32:49 myserver saslauthd[2618]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:32:49 myserver saslauthd[2618]: do_auth        : auth failure: [user=newpass] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:32:53 myserver saslauthd[2619]: (pam_unix) check pass; user unknown
Nov 18 13:32:53 myserver saslauthd[2619]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:32:55 myserver saslauthd[2619]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:32:55 myserver saslauthd[2619]: do_auth        : auth failure: [user=notused] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:01 myserver saslauthd[2621]: (pam_unix) check pass; user unknown
Nov 18 13:33:01 myserver saslauthd[2621]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:02 myserver saslauthd[2621]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:01 myserver saslauthd[2621]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:02 myserver saslauthd[2621]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:02 myserver saslauthd[2621]: do_auth        : auth failure: [user=Hockey] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:08 myserver saslauthd[2620]: (pam_unix) check pass; user unknown
Nov 18 13:33:08 myserver saslauthd[2620]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:10 myserver saslauthd[2620]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:10 myserver saslauthd[2620]: do_auth        : auth failure: [user=internet] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:15 myserver saslauthd[2622]: (pam_unix) check pass; user unknown
Nov 18 13:33:15 myserver saslauthd[2622]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:17 myserver saslauthd[2622]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:17 myserver saslauthd[2622]: do_auth        : auth failure: [user=*******] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:23 myserver saslauthd[2619]: (pam_unix) check pass; user unknown
Nov 18 13:33:23 myserver saslauthd[2619]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:25 myserver saslauthd[2619]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:25 myserver saslauthd[2619]: do_auth        : auth failure: [user=Maddock] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:30 myserver saslauthd[2618]: (pam_unix) check pass; user unknown
Nov 18 13:33:30 myserver saslauthd[2618]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:32 myserver saslauthd[2618]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module


Extract of my file /var/log/mail.info
Code:

Nov 18 15:18:42 myserver postfix/smtpd[31185]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:18:43 myserver postfix/smtpd[31185]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:18:49 myserver postfix/smtpd[31248]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:18:49 myserver postfix/smtpd[31183]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:18:50 myserver postfix/smtpd[31248]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:18:57 myserver postfix/smtpd[31183]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:18:57 myserver postfix/smtpd[30761]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:18:58 myserver postfix/smtpd[31183]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:04 myserver postfix/smtpd[30761]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:04 myserver postfix/smtpd[31188]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:05 myserver postfix/smtpd[30761]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:11 myserver postfix/smtpd[31188]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:12 myserver postfix/smtpd[31185]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:13 myserver postfix/smtpd[31188]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:28 myserver postfix/smtpd[30761]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:34 myserver postfix/smtpd[31248]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:35 myserver postfix/smtpd[31188]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:36 myserver postfix/smtpd[31188]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:42 myserver postfix/smtpd[31248]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:42 myserver postfix/smtpd[31183]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:43 myserver postfix/smtpd[31248]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:49 myserver postfix/smtpd[31183]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:50 myserver postfix/smtpd[31185]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:50 myserver postfix/smtpd[31183]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:57 myserver postfix/smtpd[31248]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:57 myserver postfix/smtpd[31185]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:58 myserver postfix/smtpd[31185]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:20:04 myserver postfix/smtpd[31183]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:20:05 myserver postfix/smtpd[31248]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:20:06 myserver postfix/smtpd[31248]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]


falko 19th November 2007 15:02

As far as I see all attempts are from the same IP (65.106.203.226). You can block it like this: http://www.howtoforge.com/forums/sho...t=route+reject


All times are GMT +2. The time now is 23:47.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.