Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General
Reload this Page smtp block brute force attacks
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 21st June 2008, 04:12
tal56 tal56 is offline
Member
  
Join Date: Oct 2007
Posts: 91
Thanks: 10
Thanked 2 Times in 2 Posts
Default smtp block brute force attacks
Hi guys,

I'm getting a lot of smtp brute force attacks lately and on my /var/log/secure logs they don't even list the IP of the person trying the attacks. They look like this :

Quote:
Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:27 server1 saslauthd[2048]: pam_succeed_if(smtp:auth): error retrieving information about user 123456
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2047]: pam_succeed_if(smtp:auth): error retrieving information about user notused
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2049]: pam_succeed_if(smtp:auth): error retrieving information about user Hockey
What's the best way to block these attacks? Thanks
Reply With Quote
Sponsored Links
  #2  
Old 21st June 2008, 10:42
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,908
Thanks: 693
Thanked 4,196 Times in 3,212 Posts
Default
If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 21st June 2008, 14:58
tal56 tal56 is offline
Member
  
Join Date: Oct 2007
Posts: 91
Thanks: 10
Thanked 2 Times in 2 Posts
Default
Quote:
Originally Posted by till View Post
If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject
Till, how do I find out the IP? Normally I also see the IP on the log file, but for these there's nothing. Thanks
Reply With Quote
  #4  
Old 17th November 2010, 18:30
hairydog2 hairydog2 is offline
Senior Member
  
Join Date: Oct 2005
Posts: 192
Thanks: 9
Thanked 1 Time in 1 Post
Default
Quote:
Originally Posted by till View Post
If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject
I tried to do this, but got

SIOCADDRT: No such device

Any suggestions?
Reply With Quote
  #5  
Old 18th November 2010, 16:10
falko falko is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,594 Times in 2,445 Posts
Default
There seems to be something wrong with one of your network interfaces. Did you try to reboot the server?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 18th November 2010, 16:21
hairydog2 hairydog2 is offline
Senior Member
  
Join Date: Oct 2005
Posts: 192
Thanks: 9
Thanked 1 Time in 1 Post
Default
Quote:
Originally Posted by falko View Post
There seems to be something wrong with one of your network interfaces. Did you try to reboot the server?
Oddly enough, when I tried again later, it worked!
Reply With Quote
  #7  
Old 21st June 2008, 10:42
falko falko is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,594 Times in 2,445 Posts
Default
fail2ban:
http://www.howtoforge.com/fail2ban_debian_etch
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 21st June 2008, 14:53
tal56 tal56 is offline
Member
  
Join Date: Oct 2007
Posts: 91
Thanks: 10
Thanked 2 Times in 2 Posts
Default
Is there a fail2ban tutorial for Centos 5?
Reply With Quote
  #9  
Old 22nd June 2008, 13:47
falko falko is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,594 Times in 2,445 Posts
Default
Quote:
Originally Posted by tal56 View Post
Is there a fail2ban tutorial for Centos 5?
Unfortunately no...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 28th August 2008, 21:05
sonoracomm sonoracomm is offline
Member
  
Join Date: Aug 2006
Posts: 32
Thanks: 6
Thanked 4 Times in 2 Posts
Default
Quote:
Originally Posted by tal56 View Post
Is there a fail2ban tutorial for Centos 5?
I saw this post so I put up my notes. It's not a full howto, but it's close.

I run ISPC on Centos 5.2.

http://www.sonoracomm.com/support/18...t/228-fail2ban

G
Last edited by sonoracomm; 28th August 2008 at 21:46.
Reply With Quote
Reply
Page 1 of 2 1 2

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 12:20
Does hosts.deny work against SMTP RCPT brute force attacks aceyzeriat Installation/Configuration 2 26th August 2007 17:18
Preventing Brute Force Attacks With Fail2ban On Debian Etch Jarek Buczyński HOWTO-Related Questions 6 10th August 2007 19:23
sshD brute force attacks: pam_abl to prevent Pasco Installation/Configuration 4 3rd May 2007 13:34
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47


All times are GMT +2. The time now is 18:21.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.