#1  
Old 27th December 2012, 12:15
adrenalinic adrenalinic is offline
Senior Member
 
Join Date: Jan 2006
Posts: 187
Thanks: 3
Thanked 3 Times in 3 Posts
Exclamation smtp attack

Hi to all and happy new coming year!
From this night i'm receiving continuous attack (near 100) to my smtp server, the OSSEC not listen it to add the ip to the denyhost file and in the log no ip number attacker appear!

Now I have disabled smtp and enabled smtps:
#smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp

----------------------------

Attack log:

DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6120]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]



How I can solve this situation? Why the log not report the remote address with the ispconfig perfect configuration?

Thanks to all for the attentions.
Best regards.
Reply With Quote
Sponsored Links
  #2  
Old 27th December 2012, 12:26
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 34,647
Thanks: 794
Thanked 5,003 Times in 3,912 Posts
Default

The above lines are from saslauthd, there must be lines from postfix as well and they contain the IP address of the attacker.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 27th December 2012, 13:08
adrenalinic adrenalinic is offline
Senior Member
 
Join Date: Jan 2006
Posts: 187
Thanks: 3
Thanked 3 Times in 3 Posts
 
Default

Hi Thanks.
I have found in /var/log/syslog .

But the attack arrive from more than 10 source ip address, why ossec non listen it and the ipaddress to the denyhost file?

Thanks you.
Best regards.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mysql and mail problem viritech General 3 16th October 2012 12:54
amavis rejects all inbound emails aclhkaclhk Installation/Configuration 5 28th February 2010 04:24
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 12:20
Postfix issues NewMee Installation/Configuration 7 20th April 2009 18:52
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47


All times are GMT +2. The time now is 08:54.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.