How do I find the source IP of failed SASL authentication attempts?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How do I find the source IP of failed SASL authentication attempts?
Hello..
I am getting about 20-30 failed attempts every day but I am having a hard time finding the source IP..
the secure log shows:
SASL Authentications failed 22 Time(s)
Service smtp (shadow) - 22 Time(s):
Realm - 22 Time(s):
User: bane - Unknown - 21 Time(s):
User: webmaster - Unknown - 1 Time(s):
**Unmatched Entries**
do_request : NULL password received
I looked in the maillog, messages, secure log but I did not see anything related to it. Is there a separate log that I should be looking at?
I'm fairly new with Linux and started reading the Sticky but I want to get this blocked asap.
Maybe check the Logwatch docs for more of an explanation about the logs that it's checking. A SASL Authentication failure doesn't necessarily sound like a problem - it might just mean someone tried to connect to your mail server without using TSL or SSL and was turned away. This may or may not cause a noticeable error message in the log.
I think the trick would be to try and read the LogWatch docs or maybe they have a forum or something. Find out what those message refer to. I've had a server up for a couple of years and get hundreds of failed logins and connection attempts. It just sort of comes with the territory.
yeah well they were up to something werent they? (from auth.log)
Code:
Oct 17 00:40:21 northstar saslauthd[3746]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3746]: do_auth : auth failure: [user=abc123] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:21 northstar saslauthd[3747]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3747]: do_auth : auth failure: [user=passwd] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:21 northstar saslauthd[3748]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3748]: do_auth : auth failure: [user=password] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:21 northstar saslauthd[3744]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3744]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:23 northstar saslauthd[3749]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:23 northstar saslauthd[3749]: do_auth : auth failure: [user=newpass] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
I understand that people hack my ftp and such every 5 minutes, but there is a IP log so that I can block them. I guess the underlying question to this series of posts is where do i find who this fucker is so that i can kline his /24
Last edited by itslinuxiknowthis; 10-24-2007 at 12:31 AM.
It looks to me like he's trying a dictionary attack but has the password value in the username field. Your mail program might have a config that lets you write IP to the log. Or maybe saslauthd does. I'm not sure which program you would check for that.
I use ProFTP with both anonymous and secure accounts. The anonymous does bring the hackers. I use ProFTP logging that captures the IP address.
When I see the IP address, I add a route that sends his outgoing packets to an address that doesn't exist. Problem solved. It is somewhat manual,
but totally effective. Basically, a route from his host IP, to a route to la-la land.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.