Where are saslauthd auth failure message coming from?
I've got a bunch of messages in my /var/log/messages file like:
Code:
Feb 17 00:06:24 mail saslauthd[1472]: do_auth : auth failure: [user=office] [service=smtp] [realm=ohprs.org] [mech=shadow] [reason=Invalid username] |
postfix?
|
Not running postfix, running sendmail. Sendmail does use saslauth:
Code:
# File: /etc/sasl2/Sendmail.conf It's not really clear from the error message that sendmail is causing this, except I suppose that could be extrapolated from the "[service=smtp]" bit in the message. But, if sendmail, my real question is what is causing sendmail to do this? It is apparently doing auth request for numerous bogus users (I have 2660 such errors for 581 different user IDs logged in the past 30 days). These failures are not showing in /var/log/maillog and there is no indication from which IP they are originating. If they are accessing through port 25 I would think there would be something in maillog. I'd like to find the IP of these would-be hackers. |
Maybe its local?
Surely, ohprs.org is a clue? Or Ohio Highway Patrol Retirement System Ya, I'd be digging... Code:
zgrep ohprs.org /var/log/messages* you could pastebin it and toss us the link? It shouldn't be too sensitive and you should expire it short term, JIC If it is not clean, or you aren't totally okay with it. Don't. Thanks. |
|
ohprs.org is our domain, this is the Ohio Highway Patrol Retirement System. I am subscribed with mxtoolbox.com which provides a similar service to your suggested mailradar.com.
Here's a possibility ... In digging into the logfiles I noticed a one-to-one timestamp correlation between the saslauthd messages in /var/log/messages and messages in /var/log/maillog. For example, for the message shown in my OP in /var/log/messages posted at Feb 17 00:06:24, I have a time-corresponding message in /var/log/maillog: Code:
Feb 17 00:06:24 mail sm-mta[31592]: v1H56NAR031592: [94.102.56.181] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Code:
Feb 13 02:44:23 mail sm-mta[28228]: v1D7iHdr028228: [222.110.153.146]: possible SMTP attack: command=AUTH, count=5 If what I'm observing is correct, these saslauthd failures do ultimately make it to maillog, but there is no obvious correlation between the log events, other than this not-always-one-to-one timestamp correlation. What do you think? |
All times are GMT -5. The time now is 02:26 AM. |