Navigation

tal56 · #1 21st June 2008, 04:12

Hi guys,

I'm getting a lot of smtp brute force attacks lately and on my /var/log/secure logs they don't even list the IP of the person trying the attacks. They look like this :

Quote:

Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:27 server1 saslauthd[2048]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:27 server1 saslauthd[2048]: pam_succeed_if(smtp:auth): error retrieving information about user 123456
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2047]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2047]: pam_succeed_if(smtp:auth): error retrieving information about user notused
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): check pass; user unknown
Jun 19 16:24:29 server1 saslauthd[2049]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 19 16:24:29 server1 saslauthd[2049]: pam_succeed_if(smtp:auth): error retrieving information about user Hockey

What's the best way to block these attacks? Thanks

till · #2 21st June 2008, 10:42

If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject

falko · #3 21st June 2008, 10:42

fail2ban:
http://www.howtoforge.com/fail2ban_debian_etch

tal56 · #4 21st June 2008, 14:53

Is there a fail2ban tutorial for Centos 5?

tal56 · #5 21st June 2008, 14:58

Quote:

Originally Posted by till

If you know the IP of the attacker, you might use this command:

/sbin/route add -host 123.123.123.123 reject

Till, how do I find out the IP? Normally I also see the IP on the log file, but for these there's nothing. Thanks

falko · #6 22nd June 2008, 13:47

Quote:

Originally Posted by tal56

Is there a fail2ban tutorial for Centos 5?

Unfortunately no...

sonoracomm · #7 28th August 2008, 21:05

Quote:

Originally Posted by tal56

Is there a fail2ban tutorial for Centos 5?

I saw this post so I put up my notes. It's not a full howto, but it's close.

I run ISPC on Centos 5.2.

http://www.sonoracomm.com/support/18...t/228-fail2ban

G

tal56 · #8 28th August 2008, 21:27

Thanks for that, I would have helped a couple weeks ealier as I finally took the plunge and installed fail2ban. It's been working great since as far as I can tell. Only banned 2 people, but haven't had much brute force attacks since I've installed. As far as I can tell it's stopped the only 2 I've got. This may be also because I've done some other stuff to secure the server too, like change ports for SSH.

*Norman* · #9 28th August 2008, 21:43

I'd suggest installing ossec and allow it to handle hosts.deny file and firewall which means stuff like this will be automaticlly stopped.

sonoracomm · #10 28th August 2008, 21:45

I have fail2ban on 3 servers. They all have SSH, two have web servers and one has mail and ftp as well.

I have 250 or more bans every day between the 3 servers!

G

Navigation

Facebook

News

Recent comments

Newsletter