smtp attack

[adrenalinic]

Hi to all and happy new coming year!
From this night i'm receiving continuous attack (near 100) to my smtp server, the OSSEC not listen it to add the ip to the denyhost file and in the log no ip number attacker appear!

Now I have disabled smtp and enabled smtps:
#smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp

----------------------------

Attack log:

DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6120]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]



How I can solve this situation? Why the log not report the remote address with the ispconfig perfect configuration?

Thanks to all for the attentions.
Best regards.

[till]

The above lines are from saslauthd, there must be lines from postfix as well and they contain the IP address of the attacker.

[adrenalinic]

Hi Thanks.
I have found in /var/log/syslog .

But the attack arrive from more than 10 source ip address, why ossec non listen it and the ipaddress to the denyhost file?

Thanks you.
Best regards.