Thread: smtp attack
View Single Post
  #1  
Old 27th December 2012, 13:15
adrenalinic adrenalinic is offline
Senior Member
 
Join Date: Jan 2006
Posts: 214
Thanks: 3
Thanked 4 Times in 4 Posts
Exclamation smtp attack

Hi to all and happy new coming year!
From this night i'm receiving continuous attack (near 100) to my smtp server, the OSSEC not listen it to add the ip to the denyhost file and in the log no ip number attacker appear!

Now I have disabled smtp and enabled smtps:
#smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp

----------------------------

Attack log:

DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6120]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]



How I can solve this situation? Why the log not report the remote address with the ispconfig perfect configuration?

Thanks to all for the attentions.
Best regards.
Reply With Quote
Sponsored Links