Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
07-18-2007, 09:26 AM
|
#1
|
|
LQ Newbie
Registered: Jul 2007
Posts: 1
Rep: 
|
How do I find the source IP of failed SASL authentication attempts?
Hello..
I am getting about 20-30 failed attempts every day but I am having a hard time finding the source IP..
the secure log shows:
SASL Authentications failed 22 Time(s)
Service smtp (shadow) - 22 Time(s):
Realm - 22 Time(s):
User: bane - Unknown - 21 Time(s):
User: webmaster - Unknown - 1 Time(s):
**Unmatched Entries**
do_request : NULL password received
I looked in the maillog, messages, secure log but I did not see anything related to it. Is there a separate log that I should be looking at?
I'm fairly new with Linux and started reading the Sticky but I want to get this blocked asap.
|
|
|
|
|
10-18-2007, 06:14 PM
|
#2
|
|
LQ Newbie
Registered: Oct 2007
Posts: 4
Rep:
|
Bump
I am having the exact same issue. Can anyone provide any help with this? are there leet hax0rs on my machine? if not how do i find their IP???
|
|
|
|
|
10-21-2007, 06:09 PM
|
#3
|
|
Member
Registered: Dec 2004
Posts: 743
Rep: 
|
Where is that report coming from?
|
|
|
|
|
10-22-2007, 06:11 PM
|
#4
|
|
LQ Newbie
Registered: Oct 2007
Posts: 4
Rep:
|
Logwatch.
these characters bring the post to over 10 characters
|
|
|
|
|
10-22-2007, 06:37 PM
|
#5
|
|
Member
Registered: Dec 2004
Posts: 743
Rep:
|
Maybe check the Logwatch docs for more of an explanation about the logs that it's checking. A SASL Authentication failure doesn't necessarily sound like a problem - it might just mean someone tried to connect to your mail server without using TSL or SSL and was turned away. This may or may not cause a noticeable error message in the log.
I think the trick would be to try and read the LogWatch docs or maybe they have a forum or something. Find out what those message refer to. I've had a server up for a couple of years and get hundreds of failed logins and connection attempts. It just sort of comes with the territory.
|
|
|
|
|
10-24-2007, 12:28 AM
|
#6
|
|
LQ Newbie
Registered: Oct 2007
Posts: 4
Rep:
|
yeah well they were up to something werent they? (from auth.log)
Code:
Oct 17 00:40:21 northstar saslauthd[3746]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3746]: do_auth : auth failure: [user=abc123] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:21 northstar saslauthd[3747]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3747]: do_auth : auth failure: [user=passwd] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:21 northstar saslauthd[3748]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3748]: do_auth : auth failure: [user=password] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:21 northstar saslauthd[3744]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3744]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:23 northstar saslauthd[3749]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:23 northstar saslauthd[3749]: do_auth : auth failure: [user=newpass] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
I understand that people hack my ftp and such every 5 minutes, but there is a IP log so that I can block them. I guess the underlying question to this series of posts is where do i find who this fucker is so that i can kline his /24
Last edited by itslinuxiknowthis; 10-24-2007 at 12:31 AM.
|
|
|
|
|
10-24-2007, 02:24 PM
|
#7
|
|
Member
Registered: Dec 2004
Posts: 743
Rep:
|
It looks to me like he's trying a dictionary attack but has the password value in the username field. Your mail program might have a config that lets you write IP to the log. Or maybe saslauthd does. I'm not sure which program you would check for that.
|
|
|
|
|
10-24-2007, 04:22 PM
|
#8
|
|
LQ Newbie
Registered: Oct 2007
Distribution: Red Hat ES 4
Posts: 10
Rep:
|
I use ProFTP with both anonymous and secure accounts. The anonymous does bring the hackers. I use ProFTP logging that captures the IP address.
When I see the IP address, I add a route that sends his outgoing packets to an address that doesn't exist. Problem solved. It is somewhat manual,
but totally effective. Basically, a route from his host IP, to a route to la-la land.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 01:31 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
