FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-10-2010, 07:08 PM
John Hinton
 
Default saslauthd attack

I'm seeing a lot of activity over the last two days with what looks to
be a kiddie script. Mostly trying to access several of our servers with
the username anna. All failed... in fact I don't think we have a user
anna on any of our servers. Meanwhile...

I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
running fail2ban on some and Ossec on others. So far, no blocking is
being done. When I look at the logs all I find is under messages and
here is a sample:

Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]

So, I can't write a rule to block this attack as I can't find any IP
address to block. I've looked and googled til my eyes are red and can't
find where to set logging in saslauthd or where ever it needs to be set
to record the IP address generating these failures. Does anyone have an
idea?

Also, some may wish to do a grep 'do_auth' on messages to see if this is
happening to you. They sometimes come in rapid succession.

John Hinton
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-10-2010, 10:22 PM
Lincoln Zuljewic Silva
 
Default saslauthd attack

I supose that you are using SMTP authentication with SASL.

>From the log "service=smtp"...so, in fact, the attack is coming from
the SMTP server and not directly to the SASL.

I guess that someone is trying to do a brute force attack on the SMTP server.

Regards
Lincoln

On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster@ew3d.com> wrote:
> I'm seeing a lot of activity over the last two days with what looks to
> be a kiddie script. Mostly trying to access several of our servers with
> the username anna. All failed... in fact I don't think we have a user
> anna on any of our servers. Meanwhile...
>
> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
> running fail2ban on some and Ossec on others. So far, no blocking is
> being done. When I look at the logs all I find is under messages and
> here is a sample:
>
> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth * * * * : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth * * * * : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth * * * * : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth * * * * : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth * * * * : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth * * * * : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth * * * * : auth failure:
> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>
> So, I can't write a rule to block this attack as I can't find any IP
> address to block. I've looked and googled til my eyes are red and can't
> find where to set logging in saslauthd or where ever it needs to be set
> to record the IP address generating these failures. Does anyone have an
> idea?
>
> Also, some may wish to do a grep 'do_auth' on messages to see if this is
> happening to you. They sometimes come in rapid succession.
>
> John Hinton
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



--
Lincoln Zuljewic Silva
More contact info.: http://www.system.adm.br/contact.php

"How often must a question be asked before it’s considered a
frequently asked question?"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-11-2010, 02:33 AM
John Hinton
 
Default saslauthd attack

Yes... most of them. Just the new PITA. Anyway... I still can't seem to
figure out how to log the IP addresses for this attack.

The system is saslauthd running as a service... sendmail and dovecot
setup. I have log levels in sendmail set to 14. Something has to be able
to log the offender(s).

Any ideas what I'm missing or where to look?

John

Lincoln Zuljewic Silva wrote:
> I supose that you are using SMTP authentication with SASL.
>
> >From the log "service=smtp"...so, in fact, the attack is coming from
> the SMTP server and not directly to the SASL.
>
> I guess that someone is trying to do a brute force attack on the SMTP server.
>
> Regards
> Lincoln
>
> On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster@ew3d.com> wrote:
>
>> I'm seeing a lot of activity over the last two days with what looks to
>> be a kiddie script. Mostly trying to access several of our servers with
>> the username anna. All failed... in fact I don't think we have a user
>> anna on any of our servers. Meanwhile...
>>
>> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
>> running fail2ban on some and Ossec on others. So far, no blocking is
>> being done. When I look at the logs all I find is under messages and
>> here is a sample:
>>
>> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>
>> So, I can't write a rule to block this attack as I can't find any IP
>> address to block. I've looked and googled til my eyes are red and can't
>> find where to set logging in saslauthd or where ever it needs to be set
>> to record the IP address generating these failures. Does anyone have an
>> idea?
>>
>> Also, some may wish to do a grep 'do_auth' on messages to see if this is
>> happening to you. They sometimes come in rapid succession.
>>
>> John Hinton
>> _______________________________________________
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>
>
>
>
>

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-11-2010, 02:48 AM
Clint Dilks
 
Default saslauthd attack

Perhaps you can use netstat to identify who is currently connected to
the machine. Then run it several times over a short period and block
the most likely culprits ?


John Hinton wrote:
> Yes... most of them. Just the new PITA. Anyway... I still can't seem to
> figure out how to log the IP addresses for this attack.
>
> The system is saslauthd running as a service... sendmail and dovecot
> setup. I have log levels in sendmail set to 14. Something has to be able
> to log the offender(s).
>
> Any ideas what I'm missing or where to look?
>
> John
>
> Lincoln Zuljewic Silva wrote:
>
>> I supose that you are using SMTP authentication with SASL.
>>
>> >From the log "service=smtp"...so, in fact, the attack is coming from
>> the SMTP server and not directly to the SASL.
>>
>> I guess that someone is trying to do a brute force attack on the SMTP server.
>>
>> Regards
>> Lincoln
>>
>> On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster@ew3d.com> wrote:
>>
>>
>>> I'm seeing a lot of activity over the last two days with what looks to
>>> be a kiddie script. Mostly trying to access several of our servers with
>>> the username anna. All failed... in fact I don't think we have a user
>>> anna on any of our servers. Meanwhile...
>>>
>>> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
>>> running fail2ban on some and Ossec on others. So far, no blocking is
>>> being done. When I look at the logs all I find is under messages and
>>> here is a sample:
>>>
>>> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure:
>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>>
>>> So, I can't write a rule to block this attack as I can't find any IP
>>> address to block. I've looked and googled til my eyes are red and can't
>>> find where to set logging in saslauthd or where ever it needs to be set
>>> to record the IP address generating these failures. Does anyone have an
>>> idea?
>>>
>>> Also, some may wish to do a grep 'do_auth' on messages to see if this is
>>> happening to you. They sometimes come in rapid succession.
>>>
>>> John Hinton
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS@centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>>
>>>
>>
>>
>>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-11-2010, 03:01 AM
"Les Bell"
 
Default saslauthd attack

John Hinton wrote:

>>
Yes... most of them. Just the new PITA. Anyway... I still can't seem to
figure out how to log the IP addresses for this attack.
<<

I'd use iptables to log connections on that port and then time-correlate
with the log entries from saslauthd.

Best,

--- Les Bell
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-11-2010, 03:04 AM
John Hinton
 
Default saslauthd attack

I am running IPTraf and have one offender... not a problem to find the
address by hand, but I know these things grow. Years ago it was ssh...
they are still trying. Then FTP... then smtp... but I have not before
seen one like this where I can't find it logged... and I want to put
into place some automated scripts to deal with it immediately. As the
kiddie scripts seem to go, with time, there is a need to kill off such
things before you have 10,000 systems out there trying to authenticate
once every second or two.

It is dictionary as it has changed to alias from anna now. LOL!!! They
aren't going to get in... just wasting resources.

John

Clint Dilks wrote:
> Perhaps you can use netstat to identify who is currently connected to
> the machine. Then run it several times over a short period and block
> the most likely culprits ?
>
>
> John Hinton wrote:
>
>> Yes... most of them. Just the new PITA. Anyway... I still can't seem to
>> figure out how to log the IP addresses for this attack.
>>
>> The system is saslauthd running as a service... sendmail and dovecot
>> setup. I have log levels in sendmail set to 14. Something has to be able
>> to log the offender(s).
>>
>> Any ideas what I'm missing or where to look?
>>
>> John
>>
>> Lincoln Zuljewic Silva wrote:
>>
>>
>>> I supose that you are using SMTP authentication with SASL.
>>>
>>> >From the log "service=smtp"...so, in fact, the attack is coming from
>>> the SMTP server and not directly to the SASL.
>>>
>>> I guess that someone is trying to do a brute force attack on the SMTP server.
>>>
>>> Regards
>>> Lincoln
>>>
>>> On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster@ew3d.com> wrote:
>>>
>>>
>>>
>>>> I'm seeing a lot of activity over the last two days with what looks to
>>>> be a kiddie script. Mostly trying to access several of our servers with
>>>> the username anna. All failed... in fact I don't think we have a user
>>>> anna on any of our servers. Meanwhile...
>>>>
>>>> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
>>>> running fail2ban on some and Ossec on others. So far, no blocking is
>>>> being done. When I look at the logs all I find is under messages and
>>>> here is a sample:
>>>>
>>>> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure:
>>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>>> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure:
>>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>>> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure:
>>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>>> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure:
>>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>>> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure:
>>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>>> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure:
>>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>>> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure:
>>>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>>>>
>>>> So, I can't write a rule to block this attack as I can't find any IP
>>>> address to block. I've looked and googled til my eyes are red and can't
>>>> find where to set logging in saslauthd or where ever it needs to be set
>>>> to record the IP address generating these failures. Does anyone have an
>>>> idea?
>>>>
>>>> Also, some may wish to do a grep 'do_auth' on messages to see if this is
>>>> happening to you. They sometimes come in rapid succession.
>>>>
>>>> John Hinton
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS@centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>
>>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-11-2010, 05:18 AM
kalinix
 
Default saslauthd attack

On Wed, 2010-02-10 at 15:08 -0500, John Hinton wrote:


I'm seeing a lot of activity over the last two days with what looks to
be a kiddie script. Mostly trying to access several of our servers with
the username anna. All failed... in fact I don't think we have a user
anna on any of our servers. Meanwhile...

I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
running fail2ban on some and Ossec on others. So far, no blocking is
being done. When I look at the logs all I find is under messages and
here is a sample:

Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure:
[user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]

So, I can't write a rule to block this attack as I can't find any IP
address to block. I've looked and googled til my eyes are red and can't
find where to set logging in saslauthd or where ever it needs to be set
to record the IP address generating these failures. Does anyone have an
idea?

Also, some may wish to do a grep 'do_auth' on messages to see if this is
happening to you. They sometimes come in rapid succession.

John Hinton
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos




In my case the last one was on 19th of January, and came from an IP in China 118-167-9-72.dynamic.hinet.net [118.167.9.72]. Took it from /var/spool/maillog.



Actually I'm running Postfix with sasl, and the portion of maillog I was looking for was: SASL LOGIN authentication failed. Don't know how it will be on sendmail, though.



HTH,








Calin



Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857



=================================================

"Does it worry you that you don't talk any kind of sense? "





_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-11-2010, 09:33 AM
"B.J. McClure"
 
Default saslauthd attack

On Wed, 2010-02-10 at 22:33 -0500, John Hinton wrote:
> Yes... most of them. Just the new PITA. Anyway... I still can't seem to
> figure out how to log the IP addresses for this attack.
>
> The system is saslauthd running as a service... sendmail and dovecot
> setup. I have log levels in sendmail set to 14. Something has to be able
> to log the offender(s).
>
> Any ideas what I'm missing or where to look?
>
> John
>
> Lincoln Zuljewic Silva wrote:
> > I supose that you are using SMTP authentication with SASL.
> >
> > >From the log "service=smtp"...so, in fact, the attack is coming from
> > the SMTP server and not directly to the SASL.
> >
> > I guess that someone is trying to do a brute force attack on the SMTP server.
> >
> > Regards
> > Lincoln
> >
> > On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <webmaster@ew3d.com> wrote:
> >
> >> I'm seeing a lot of activity over the last two days with what looks to
> >> be a kiddie script. Mostly trying to access several of our servers with
> >> the username anna. All failed... in fact I don't think we have a user
> >> anna on any of our servers. Meanwhile...
> >>
> >> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
> >> running fail2ban on some and Ossec on others. So far, no blocking is
> >> being done. When I look at the logs all I find is under messages and
> >> here is a sample:
<snip>

I use denyhosts which has worked well for me. I have two IPs which have
been under attack mostly on ssh, some on dovecot, periodically for the
last six weeks. Offending IPs are logged when blocked, but they just
switch IPs as well as login user names.

At least with denyhosts the IPs are readily available.

Cheers.
B.J.

CentOS 5.4, Linux 2.6.18-164.11.1.el5 athlon 05:24:40 up 9:38, 1 user,
load average: 0.33, 0.17, 0.19

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org