LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-18-2007, 09:26 AM   #1
sunhak
LQ Newbie
 
Registered: Jul 2007
Posts: 1

Rep: Reputation: 0
Question How do I find the source IP of failed SASL authentication attempts?


Hello..
I am getting about 20-30 failed attempts every day but I am having a hard time finding the source IP..
the secure log shows:
SASL Authentications failed 22 Time(s)
Service smtp (shadow) - 22 Time(s):
Realm - 22 Time(s):
User: bane - Unknown - 21 Time(s):
User: webmaster - Unknown - 1 Time(s):


**Unmatched Entries**

do_request : NULL password received

I looked in the maillog, messages, secure log but I did not see anything related to it. Is there a separate log that I should be looking at?
I'm fairly new with Linux and started reading the Sticky but I want to get this blocked asap.
 
Old 10-18-2007, 06:14 PM   #2
itslinuxiknowthis
LQ Newbie
 
Registered: Oct 2007
Posts: 4

Rep: Reputation: 0
Bump

I am having the exact same issue. Can anyone provide any help with this? are there leet hax0rs on my machine? if not how do i find their IP???
 
Old 10-21-2007, 06:09 PM   #3
sneakyimp
Member
 
Registered: Dec 2004
Posts: 762

Rep: Reputation: 48
Where is that report coming from?
 
Old 10-22-2007, 06:11 PM   #4
itslinuxiknowthis
LQ Newbie
 
Registered: Oct 2007
Posts: 4

Rep: Reputation: 0
Logwatch.


these characters bring the post to over 10 characters
 
Old 10-22-2007, 06:37 PM   #5
sneakyimp
Member
 
Registered: Dec 2004
Posts: 762

Rep: Reputation: 48
Maybe check the Logwatch docs for more of an explanation about the logs that it's checking. A SASL Authentication failure doesn't necessarily sound like a problem - it might just mean someone tried to connect to your mail server without using TSL or SSL and was turned away. This may or may not cause a noticeable error message in the log.

I think the trick would be to try and read the LogWatch docs or maybe they have a forum or something. Find out what those message refer to. I've had a server up for a couple of years and get hundreds of failed logins and connection attempts. It just sort of comes with the territory.
 
Old 10-24-2007, 12:28 AM   #6
itslinuxiknowthis
LQ Newbie
 
Registered: Oct 2007
Posts: 4

Rep: Reputation: 0
yeah well they were up to something werent they? (from auth.log)

Code:
Oct 17 00:40:21 northstar saslauthd[3746]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3746]: do_auth         : auth failure: [user=abc123] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:21 northstar saslauthd[3747]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3747]: do_auth         : auth failure: [user=passwd] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:21 northstar saslauthd[3748]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3748]: do_auth         : auth failure: [user=password] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:21 northstar saslauthd[3744]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:21 northstar saslauthd[3744]: do_auth         : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Oct 17 00:40:23 northstar saslauthd[3749]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Oct 17 00:40:23 northstar saslauthd[3749]: do_auth         : auth failure: [user=newpass] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
I understand that people hack my ftp and such every 5 minutes, but there is a IP log so that I can block them. I guess the underlying question to this series of posts is where do i find who this fucker is so that i can kline his /24

Last edited by itslinuxiknowthis; 10-24-2007 at 12:31 AM.
 
Old 10-24-2007, 02:24 PM   #7
sneakyimp
Member
 
Registered: Dec 2004
Posts: 762

Rep: Reputation: 48
It looks to me like he's trying a dictionary attack but has the password value in the username field. Your mail program might have a config that lets you write IP to the log. Or maybe saslauthd does. I'm not sure which program you would check for that.
 
Old 10-24-2007, 04:22 PM   #8
LoneGunman
LQ Newbie
 
Registered: Oct 2007
Distribution: Red Hat ES 4
Posts: 10

Rep: Reputation: 0
I use ProFTP with both anonymous and secure accounts. The anonymous does bring the hackers. I use ProFTP logging that captures the IP address.
When I see the IP address, I add a route that sends his outgoing packets to an address that doesn't exist. Problem solved. It is somewhat manual,
but totally effective. Basically, a route from his host IP, to a route to la-la land.
 
  


Reply

Tags
attempt, failed, log, sasl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail Cyrus SASL authentication problem demith Linux - Software 0 11-15-2006 02:19 AM
postfix relay problems with SASL authentication & TLS climbingmerlin Linux - Software 0 04-05-2006 08:55 AM
Postfix - SASL LOGIN authentication failed micko_escalade Linux - Networking 1 02-03-2006 01:53 AM
cyrus-sasl authentication problem nobu Red Hat 1 11-01-2005 06:54 PM
Does the Slackware Sendmail support SASL authentication? gargamel Slackware 7 07-30-2004 06:06 AM


All times are GMT -5. The time now is 02:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration