possible attack - SASL LOGIN authentication failed: authentication failure

Discussion in 'Server Operation' started by sergio.morales, Oct 21, 2013.

  1. sergio.morales

    sergio.morales New Member

    Hello everyone. I am seeing in my mail.log a LOT of messages with the following information and I am trying to figure out why fail2ban is not stopping them:

    Oct 21 10:19:48 server1 postfix/smtpd[3939]: warning: unknown[116.12.154.18]: SASL LOGIN authentication failed: authentication failure
    Oct 21 10:19:49 server1 postfix/smtpd[2715]: warning: unknown[116.12.154.18]: SASL LOGIN authentication failed: authentication failure
    Oct 21 10:19:49 server1 postfix/smtpd[2525]: warning: unknown[116.12.154.18]: SASL LOGIN authentication failed: authentication failure
    Oct 21 10:19:49 server1 postfix/smtpd[2414]: warning: unknown[116.12.154.18]: SASL LOGIN authentication failed: authentication failure

    What do I have to do to get this to stop? I am looking in /etc/fail2ban/jail.conf file and I see that my sasl entry is not enabled?
    [sasl]

    enabled = false
    port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter = sasl
    # You might consider monitoring /var/log/warn.log instead
    # if you are running postfix. See http://bugs.debian.org/507990
    logpath = /var/log/mail.log

    Is there anything in particular I should do to get this enabled? I mean, I know I could probably set that to true and reboot, but I don't want to break anything!

    sERGE
     
  2. sergio.morales

    sergio.morales New Member

    Update

    This is what the entry in my sasl.conf file looks like . . .

    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [A-Za-z0-9+/]*={0,2})?$
     
  3. MaddinXx

    MaddinXx Member HowtoForge Supporter

    Dear Serge

    It should be safe to turn the filter on.

    Regards
    Michel
     
  4. sergio.morales

    sergio.morales New Member

    Not sure things are working right

    Looks like I am getting hit hard now with a DOS attack! I need to make certain the jailing is working correctly. I am seeing all my sessions used up and my server is running very poorly. This is the error I am seeing:


    Oct 22 02:37:17 server1 postfix/smtpd[9075]: warning: 88.247.7.123: hostname 88.247.7.123.static.ttnet.com.tr verification failed: No address associated with hostname
    Oct 22 02:43:02 server1 postfix/smtpd[9169]: warning: 89.36.168.98: hostname dyn-168.98.sovata.digicomm.ro verification failed: No address associated with hostname
    Oct 22 02:46:24 server1 postfix/smtpd[9214]: warning: 200.43.14.162: hostname smtp.indiosolosa.com.ar verification failed: No address associated with hostname
    Oct 22 02:49:54 server1 postfix/smtpd[9256]: warning: 123.14.45.210: hostname hn.kd.ny.adsl verification failed: No address associated with hostname

    I don't see their IP's being jailed. Please help!
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Check fail2ban.log and compare your fail2ban rules with theones from the perfect server guide for the linux distribution that you use here at howtoforge.
     
  6. MaddinXx

    MaddinXx Member HowtoForge Supporter

    I'd recommend you anyway to switch to OSSEC + APF (or another firewall). OSSEC does a great job and it's easy to write custom rules etc. There's a great book on Packt Publishing called "Instant OSSEC HIDS".

    For example you can take a look at my ruleset: http://drops.frontender.ch/AlJ6/1RmuZ7Hy
     
  7. sergio.morales

    sergio.morales New Member

    thanks much guys

    Thanks so much guys for the quick replies. I can't find where to look for the rules that fail2ban should have turned on by default. I am running Ubuntu 10.4, and I am a noob at looking at these things, so any help (or hand-holding) you can provide, I'd appreciate.

    Looks like I am seeing a whole lot of different issues. The one below is the newest of the possible attacks. It looks like someone is trying to get into my email using generic accounts. How do I stop that?

    Again, thanks in advance for any help you can give me.

    sERGE




    Oct 22 22:31:49 server1 postfix/smtpd[2920]: connect from 223-93-16-190.fibertel.com.ar[190.16.93.223]
    Oct 22 22:31:50 server1 postfix/smtpd[2920]: NOQUEUE: reject: RCPT from 223-93-16-190.fibertel.com.ar[190.16.93.223]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table; fr
     
  8. sergio.morales

    sergio.morales New Member

    Ahh . . I love this . . .

    I think I may have found something . . .
    Could this be my problem?

    2013-10-22 22:57:18,796 fail2ban.actions.action: ERROR iptables -N fail2ban-apache-overflows
    iptables -A fail2ban-apache-overflows -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-overflows returned 200
    2013-10-22 22:57:18,829 fail2ban.jail : INFO Jail 'apache' started
    2013-10-22 22:57:18,870 fail2ban.jail : INFO Jail 'pure-ftpd' started
    2013-10-22 22:57:18,888 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
    iptables -A fail2ban-postfix -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp -j fail2ban-postfix returned 200
     

Share This Page