HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=15)
-   -   smtp block brute force attacks (http://www.howtoforge.com/forums/showthread.php?t=24375)

tal56 21st June 2008 04:12

smtp block brute force attacks
 
Hi guys,

I'm getting a lot of smtp brute force attacks lately and on my /var/log/secure logs they don't even list the IP of the person trying the attacks. They look like this :

Quote:

Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:27 server1 saslauthd[2048]: pam_succeed_if(smtp:auth): error retrieving information about user 123456
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2047]: pam_succeed_if(smtp:auth): error retrieving information about user notused
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2049]: pam_succeed_if(smtp:auth): error retrieving information about user Hockey
What's the best way to block these attacks? Thanks

till 21st June 2008 10:42

If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject

falko 21st June 2008 10:42

fail2ban:
http://www.howtoforge.com/fail2ban_debian_etch

tal56 21st June 2008 14:53

Is there a fail2ban tutorial for Centos 5?

tal56 21st June 2008 14:58

Quote:

Originally Posted by till (Post 132182)
If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject

Till, how do I find out the IP? Normally I also see the IP on the log file, but for these there's nothing. Thanks

falko 22nd June 2008 13:47

Quote:

Originally Posted by tal56 (Post 132201)
Is there a fail2ban tutorial for Centos 5?

Unfortunately no...

sonoracomm 28th August 2008 21:05

Quote:

Originally Posted by tal56 (Post 132201)
Is there a fail2ban tutorial for Centos 5?

I saw this post so I put up my notes. It's not a full howto, but it's close.

I run ISPC on Centos 5.2.

http://www.sonoracomm.com/support/18...t/228-fail2ban

G

tal56 28th August 2008 21:27

Thanks for that, I would have helped a couple weeks ealier as I finally took the plunge and installed fail2ban. It's been working great since as far as I can tell. Only banned 2 people, but haven't had much brute force attacks since I've installed. As far as I can tell it's stopped the only 2 I've got. This may be also because I've done some other stuff to secure the server too, like change ports for SSH.

Norman 28th August 2008 21:43

I'd suggest installing ossec and allow it to handle hosts.deny file and firewall which means stuff like this will be automaticlly stopped.

sonoracomm 28th August 2008 21:45

I have fail2ban on 3 servers. They all have SSH, two have web servers and one has mail and ftp as well.

I have 250 or more bans every day between the 3 servers!

G


All times are GMT +2. The time now is 17:27.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.