LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-28-2016, 11:43 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 789

Rep: Reputation: Disabled
Preventing postfix from being hacked


I am getting thousands of messages similar to those below in /var/log/maillog. Looks like someone is trying to hack me, but I am not sure. What do you think is happening? What could I do to figure it out, and if a hack, what can I do to prevent it?

Code:
Oct 28 09:33:08 devserver postfix/error[11544]: D1D4920105A: to=<fail2ban@example.com>, relay=none, delay=0.09, delays=0.06/0/0/0.04, dsn=4.7.8, status=deferred (delivery temporarily suspended: SASL authentication failed; server smtp.gmail.com[173.194.202.108] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials h9sm5513927paw.18 - gsmtp)
Oct 28 09:33:11 devserver postfix/smtp[11506]: 52CB9200538: SASL authentication failed; server smtp.gmail.com[173.194.202.108] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials a78sm20048591pfj.44 - gsmtp
Oct 28 09:33:12 devserver postfix/smtp[11506]: 52CB9200538: to=<you@example.com>, relay=smtp.gmail.com[173.194.202.109]:587, delay=47066, delays=47061/0.1/5.8/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp.gmail.com[173.194.202.109] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8  https://support.google.com/mail/?p=BadCredentials g27sm4254884pfj.46 - gsmtp)
 
Old 10-29-2016, 09:40 AM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,655

Rep: Reputation: 2406Reputation: 2406Reputation: 2406Reputation: 2406Reputation: 2406Reputation: 2406Reputation: 2406Reputation: 2406Reputation: 2406Reputation: 2406Reputation: 2406
You have put up very little information.
On the snippet you provided, It looks like someone is using your box as a relay. Now I know next to nothing about your server, and I suspect you may have the same problem.
Things you can do are: Restrict who can send mail, change passwords to secure ones; increase logging of everything to debug level; update any programs that are running; and go to town tightening up on permissions; make sure nobody can send mail except who you want.

Then you can sort out who the (expletive deleted) is sending these barrages of mail and nobble their account, if they're a user. Act smartly or you'll find yourself on spamhaus.org and your legit email will be bounced.
 
Old 10-30-2016, 07:44 AM   #3
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 789

Original Poster
Rep: Reputation: Disabled
Thank you Business Kid for your reply.

Sorry, I know I didn't give you much, but didn't know where to start. Good news is no one is using my email server. Bad news is I am getting thousands of SSH break in attempts. Looked at some of the emails, and they are generated by failtoban trying to send out an email, but I must not have configured something correctly.



Code:
*** ENVELOPE RECORDS maildrop/32BED200349 ***
message_arrival_time: Sun Oct 30 05:31:07 2016
named_attribute: rewrite_context=local
sender_fullname: root
sender: fail2ban@example.com
recipient: you@example.com
*** MESSAGE CONTENTS maildrop/32BED200349 ***
regular_text: Subject: [Fail2Ban] SSH: banned 221.229.172.71 from devserver.michaels.lan
regular_text: Date: Sun, 30 Oct 2016 05:31:07 -0700
regular_text: From: Fail2Ban <fail2ban@example.com>
regular_text: To: you@example.com
regular_text:
regular_text: Hi,
regular_text:
regular_text: The IP 221.229.172.71 has just been banned by Fail2Ban after
regular_text: 5 attempts against SSH.
regular_text:
regular_text:
regular_text: Here is more information about 221.229.172.71 :
regular_text:
regular_text: missing whois program
regular_text:
regular_text: Regards,
regular_text:
unterminated_text: Fail2Ban
*** HEADER EXTRACTED maildrop/32BED200349 ***
*** MESSAGE FILE END maildrop/32BED200349 ***
[root@devserver ~]#
 
Old 10-30-2016, 06:01 PM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Check your ssh jail for directives such as
Code:
sendmail-whois
and/or
Code:
sendmail-whois-lines
where sender=fail2ban@example.com]

You customized your ssh jail, yes? The name is non-standard/default.

Rem those out.
bounce fail2ban.
Check for mail "noise"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Hacked postfix.. bzzika Linux - Security 2 02-19-2012 05:21 AM
[SOLVED] Postfix -- hacked?? bulls_i3 Linux - Security 6 10-24-2010 09:43 AM
preventing postfix from listening on port 25 tklima Linux - Server 5 08-30-2010 12:06 PM
Preventing Backscatter with Postfix SteveJenkins Linux - Server 6 08-30-2010 05:50 AM
Is my Postfix got hacked? How to check? woranl Linux - Security 6 07-26-2005 04:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration