#1  
Old 18th November 2007, 20:35
princebenin princebenin is offline
Junior Member
 
Join Date: Nov 2006
Posts: 16
Thanks: 3
Thanked 1 Time in 1 Post
Default Mail server attack

Hello,

In spite of the installation of "Blockhost" "I still continuous be the target of attack, can someone help me?.

Extract of /var/log/auth.log
Code:
Nov 18 13:32:32 myserver saslauthd[2620]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:32:34 myserver saslauthd[2620]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:32:34 myserver saslauthd[2620]: do_auth         : auth failure: [user=passwd] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:32:40 myserver saslauthd[2622]: (pam_unix) check pass; user unknown
Nov 18 13:32:40 myserver saslauthd[2622]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:32:42 myserver saslauthd[2622]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:32:42 myserver saslauthd[2622]: do_auth         : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:32:47 myserver saslauthd[2618]: (pam_unix) check pass; user unknown
Nov 18 13:32:47 myserver saslauthd[2618]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:32:49 myserver saslauthd[2618]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:32:49 myserver saslauthd[2618]: do_auth         : auth failure: [user=newpass] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:32:53 myserver saslauthd[2619]: (pam_unix) check pass; user unknown
Nov 18 13:32:53 myserver saslauthd[2619]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:32:55 myserver saslauthd[2619]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:32:55 myserver saslauthd[2619]: do_auth         : auth failure: [user=notused] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:01 myserver saslauthd[2621]: (pam_unix) check pass; user unknown
Nov 18 13:33:01 myserver saslauthd[2621]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:02 myserver saslauthd[2621]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:01 myserver saslauthd[2621]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:02 myserver saslauthd[2621]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:02 myserver saslauthd[2621]: do_auth         : auth failure: [user=Hockey] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:08 myserver saslauthd[2620]: (pam_unix) check pass; user unknown
Nov 18 13:33:08 myserver saslauthd[2620]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:10 myserver saslauthd[2620]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:10 myserver saslauthd[2620]: do_auth         : auth failure: [user=internet] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:15 myserver saslauthd[2622]: (pam_unix) check pass; user unknown
Nov 18 13:33:15 myserver saslauthd[2622]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:17 myserver saslauthd[2622]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:17 myserver saslauthd[2622]: do_auth         : auth failure: [user=*******] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:23 myserver saslauthd[2619]: (pam_unix) check pass; user unknown
Nov 18 13:33:23 myserver saslauthd[2619]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:25 myserver saslauthd[2619]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Nov 18 13:33:25 myserver saslauthd[2619]: do_auth         : auth failure: [user=Maddock] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 18 13:33:30 myserver saslauthd[2618]: (pam_unix) check pass; user unknown
Nov 18 13:33:30 myserver saslauthd[2618]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 18 13:33:32 myserver saslauthd[2618]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module

Extract of my file /var/log/mail.info
Code:
Nov 18 15:18:42 myserver postfix/smtpd[31185]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:18:43 myserver postfix/smtpd[31185]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:18:49 myserver postfix/smtpd[31248]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:18:49 myserver postfix/smtpd[31183]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:18:50 myserver postfix/smtpd[31248]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:18:57 myserver postfix/smtpd[31183]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:18:57 myserver postfix/smtpd[30761]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:18:58 myserver postfix/smtpd[31183]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:04 myserver postfix/smtpd[30761]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:04 myserver postfix/smtpd[31188]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:05 myserver postfix/smtpd[30761]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:11 myserver postfix/smtpd[31188]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:12 myserver postfix/smtpd[31185]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:13 myserver postfix/smtpd[31188]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:28 myserver postfix/smtpd[30761]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:34 myserver postfix/smtpd[31248]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:35 myserver postfix/smtpd[31188]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:36 myserver postfix/smtpd[31188]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:42 myserver postfix/smtpd[31248]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:42 myserver postfix/smtpd[31183]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:43 myserver postfix/smtpd[31248]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:49 myserver postfix/smtpd[31183]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:50 myserver postfix/smtpd[31185]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:50 myserver postfix/smtpd[31183]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:57 myserver postfix/smtpd[31248]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:19:57 myserver postfix/smtpd[31185]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:19:58 myserver postfix/smtpd[31185]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:20:04 myserver postfix/smtpd[31183]: connect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Nov 18 15:20:05 myserver postfix/smtpd[31248]: warning: 65.106.203.226.ptr.us.xo.net[65.106.203.226]: SASL LOGIN authentication failed: authentication failure
Nov 18 15:20:06 myserver postfix/smtpd[31248]: disconnect from 65.106.203.226.ptr.us.xo.net[65.106.203.226]
Reply With Quote
Sponsored Links
  #2  
Old 19th November 2007, 14:02
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
 
Default

As far as I see all attempts are from the same IP (65.106.203.226). You can block it like this: http://www.howtoforge.com/forums/sho...t=route+reject
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following 2 Users Say Thank You to falko For This Useful Post:
Mathias (10th December 2007), princebenin (19th November 2007)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail Server Backup nibb General 3 6th June 2007 15:52
Postfix reject connections gabrix Server Operation 27 25th January 2007 08:37
attack my mail server (help) rickygm Server Operation 1 13th December 2006 06:39
Server name change stops webmail working shajazzi Installation/Configuration 3 16th May 2006 16:00
Webmail Relay Error palkat General 17 23rd April 2006 18:12


All times are GMT +2. The time now is 02:27.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.