Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st June 2008, 04:12
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default smtp block brute force attacks

Hi guys,

I'm getting a lot of smtp brute force attacks lately and on my /var/log/secure logs they don't even list the IP of the person trying the attacks. They look like this :

Quote:
Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:27 server1 saslauthd[2048]: pam_succeed_if(smtp:auth): error retrieving information about user 123456
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2047]: pam_succeed_if(smtp:auth): error retrieving information about user notused
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2049]: pam_succeed_if(smtp:auth): error retrieving information about user Hockey
What's the best way to block these attacks? Thanks
Reply With Quote
Sponsored Links
  #2  
Old 21st June 2008, 10:42
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,717
Thanks: 820
Thanked 5,322 Times in 4,175 Posts
Default

If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 21st June 2008, 10:42
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,739 Times in 2,574 Posts
Default

fail2ban:
http://www.howtoforge.com/fail2ban_debian_etch
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 21st June 2008, 14:53
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

Is there a fail2ban tutorial for Centos 5?
Reply With Quote
  #5  
Old 21st June 2008, 14:58
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by till View Post
If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject
Till, how do I find out the IP? Normally I also see the IP on the log file, but for these there's nothing. Thanks
Reply With Quote
  #6  
Old 22nd June 2008, 13:47
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,739 Times in 2,574 Posts
Default

Quote:
Originally Posted by tal56 View Post
Is there a fail2ban tutorial for Centos 5?
Unfortunately no...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 28th August 2008, 21:05
sonoracomm sonoracomm is offline
Member
 
Join Date: Aug 2006
Posts: 32
Thanks: 6
Thanked 4 Times in 2 Posts
Default

Quote:
Originally Posted by tal56 View Post
Is there a fail2ban tutorial for Centos 5?
I saw this post so I put up my notes. It's not a full howto, but it's close.

I run ISPC on Centos 5.2.

http://www.sonoracomm.com/support/18...t/228-fail2ban

G

Last edited by sonoracomm; 28th August 2008 at 21:46.
Reply With Quote
  #8  
Old 28th August 2008, 21:27
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

Thanks for that, I would have helped a couple weeks ealier as I finally took the plunge and installed fail2ban. It's been working great since as far as I can tell. Only banned 2 people, but haven't had much brute force attacks since I've installed. As far as I can tell it's stopped the only 2 I've got. This may be also because I've done some other stuff to secure the server too, like change ports for SSH.
Reply With Quote
  #9  
Old 28th August 2008, 21:43
Norman Norman is offline
HowtoForge Supporter
 
Join Date: May 2006
Posts: 242
Thanks: 0
Thanked 18 Times in 14 Posts
Default

I'd suggest installing ossec and allow it to handle hosts.deny file and firewall which means stuff like this will be automaticlly stopped.
__________________
http://www.xh.se
Reply With Quote
  #10  
Old 28th August 2008, 21:45
sonoracomm sonoracomm is offline
Member
 
Join Date: Aug 2006
Posts: 32
Thanks: 6
Thanked 4 Times in 2 Posts
 
Default

I have fail2ban on 3 servers. They all have SSH, two have web servers and one has mail and ftp as well.

I have 250 or more bans every day between the 3 servers!

G
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 12:20
Does hosts.deny work against SMTP RCPT brute force attacks aceyzeriat Installation/Configuration 2 26th August 2007 17:18
Preventing Brute Force Attacks With Fail2ban On Debian Etch Jarek Buczyński HOWTO-Related Questions 6 10th August 2007 19:23
sshD brute force attacks: pam_abl to prevent Pasco Installation/Configuration 4 3rd May 2007 13:34
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47


All times are GMT +2. The time now is 23:44.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.