smtp attack

Discussion in 'Installation/Configuration' started by adrenalinic, Dec 27, 2012.

  1. adrenalinic

    adrenalinic Member HowtoForge Supporter

    Hi to all and happy new coming year!
    From this night i'm receiving continuous attack (near 100) to my smtp server, the OSSEC not listen it to add the ip to the denyhost file and in the log no ip number attacker appear!

    Now I have disabled smtp and enabled smtps:
    #smtp inet n - - - - smtpd
    #submission inet n - - - - smtpd
    # -o smtpd_tls_security_level=encrypt
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    smtps inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
    #628 inet n - - - - qmqpd
    pickup fifo n - - 60 1 pickup
    cleanup unix n - - - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    #qmgr fifo n - - 300 1 oqmgr
    tlsmgr unix - - - 1000? 1 tlsmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    trace unix - - - - 0 bounce
    verify unix - - - - 1 verify
    flush unix n - - 1000? 0 flush
    proxymap unix - - n - - proxymap
    proxywrite unix - - n - 1 proxymap
    smtp unix - - - - - smtp

    ----------------------------

    Attack log:

    DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
    Dec 27 03:50:35 lvps83 saslauthd[6120]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
    Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
    Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
    Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
    Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
    Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
    Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
    Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
    Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
    Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
    Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result.
    Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
    Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
    Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
    Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result.
    Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
    Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]



    How I can solve this situation? Why the log not report the remote address with the ispconfig perfect configuration?

    Thanks to all for the attentions.
    Best regards.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The above lines are from saslauthd, there must be lines from postfix as well and they contain the IP address of the attacker.
     
  3. adrenalinic

    adrenalinic Member HowtoForge Supporter

    Hi Thanks.
    I have found in /var/log/syslog .

    But the attack arrive from more than 10 source ip address, why ossec non listen it and the ipaddress to the denyhost file?

    Thanks you.
    Best regards.
     

Share This Page