Insistent attack on new installation SASL LOGIN authentication failed

Discussion in 'Server Operation' started by Milly, Dec 19, 2019.

  1. Milly

    Milly New Member

    Hello, I have searched for information but I am not sure what is the way to solve the following or if it is normal?

    I have a new installation of the guide The Perfect Server - Debian 10 (Buster) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1

    In ISPConfig monitoring I can see the following message from several very insistent IPs:

    Code:
    Dec 19 13:54:54 mail postfix / smtpd [3533]: warning: unknown [46.38.144.32]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    And I would like to know if there is any solution to block these Ips that make such an insistent attack?

    SASL LOGIN authentication failed 1.png

    SASL LOGIN authentication failed 2.png

    SASL LOGIN authentication failed 3.png
    SASL LOGIN authentication failed 4.png



    And as a separate case, ClamAV asks to update, but in Debian it indicates that version 0.102.1 is still unstable and is not updated in Debian 10.
    Do you recommend waiting or should I do the manual installation?

    sa5.png



    Thanks
     
  2. Steini86

    Steini86 Active Member

    It is good to have fail2ban. You can decrease the number of attempts and increase the bantime if you like.
    However, if the attacker use always different IPs it is difficult. Solutions depend on your setup. The IPs in your example are all from Iran. I have seen the same on my server.
    Have a look at ipset. People maintain lists of known attacker IPs and you can use them for a block list. Your mentioned IPs for example are on there.
    See for setup: https://github.com/trick77/ipset-blacklist
    The good thing is that blocking via firewall uses much less ressources than if postfix/apache has to handle these requests.

    Since I know, that I will not receive any mails from Iran/China/Russia I have additionally blocked these IP ranges and since then have drastically reduced these login attempts.
    Be aware, that this can lead to false positives if you have customers etc. that interact with people from that regions. You could also block only some specific services (IMAP/Web/SMTP ...)
     
    Last edited: Dec 20, 2019
  3. MephiaSR

    MephiaSR New Member

    SASL is unused/unneeded nowadays, deactivate and/or remove it
    Code:
    sudo dpkg -r sasl%*
    sudo mock -p:80 # if mock app is installed. Otherwise -> ignore this
    If SASL was acquired as part of natively obtained OS (like cloud provider)
    Code:
    ec2-manager -R sasl% # this will remove anything sasl from your EC2 instance (Amazon AWS)
     
    Last edited: Dec 24, 2019
  4. Steini86

    Steini86 Active Member

    As written above, Milly uses Debian10 with Postfix and ISPconfig. Can you give me more information on what lets you make the statement that SASL would be "unused/unneeded nowadays"?
    - Your command would break the system of the OP, if it would work on debian (no package sasl* is installed there)
    - I cannot see, how your post is related to the questions above (?)
     

Share This Page