Re: [CentOS] saslauthd attack

On Wed, 2010-02-10 at 22:33 -0500, John Hinton wrote: > Yes... most of them. Just the new PITA. Anyway... I still can't seem to > figure out how to log the IP addresses for this attack. > > The system is saslauthd running as a service... sendmail and dovecot > setup. I have log levels in sendma

Re: [CentOS] saslauthd attack

On Wed, 2010-02-10 at 15:08 -0500, John Hinton wrote: > I'm seeing a lot of activity over the last two days with what looks to > be a kiddie script. Mostly trying to access several of our servers with > the username anna. All failed... in fact I don't think we have a user > anna on any of our s

Re: [CentOS] saslauthd attack

I am running IPTraf and have one offender... not a problem to find the address by hand, but I know these things grow. Years ago it was ssh... they are still trying. Then FTP... then smtp... but I have not before seen one like this where I can't find it logged... and I want to put into place som

Re: [CentOS] saslauthd attack

John Hinton wrote: >> Yes... most of them. Just the new PITA. Anyway... I still can't seem to figure out how to log the IP addresses for this attack. << I'd use iptables to log connections on that port and then time-correlate with the log entries from saslauthd. Best, --- Les Bell [http://www.

Re: [CentOS] saslauthd attack

Perhaps you can use netstat to identify who is currently connected to the machine. Then run it several times over a short period and block the most likely culprits ? John Hinton wrote: > Yes... most of them. Just the new PITA. Anyway... I still can't seem to > figure out how to log the IP add

Re: [CentOS] saslauthd attack

Yes... most of them. Just the new PITA. Anyway... I still can't seem to figure out how to log the IP addresses for this attack. The system is saslauthd running as a service... sendmail and dovecot setup. I have log levels in sendmail set to 14. Something has to be able to log the offender(s).

Re: [CentOS] saslauthd attack

I supose that you are using SMTP authentication with SASL. >From the log "service=smtp"...so, in fact, the attack is coming from the SMTP server and not directly to the SASL. I guess that someone is trying to do a brute force attack on the SMTP server. Regards Lincoln On Wed, Feb 10, 2010 at 6: