[SOLVED] Where are saslauthd auth failure message coming from?

mfoley · 02-16-2017, 11:15 PM

I've got a bunch of messages in my /var/log/messages file like:

Code:

Feb 17 00:06:24 mail saslauthd[1472]: do_auth         : auth failure: [user=office] [service=smtp] [realm=ohprs.org] [mech=shadow] [reason=Invalid username]

What is creating these messages? Yes, I know saslauthd is, but what is calling saslauthd to do this? something is trying a lot of different user names. This is a security concern.

Habitual · 02-17-2017, 05:13 AM

postfix?

mfoley · 02-17-2017, 06:21 AM

Not running postfix, running sendmail. Sendmail does use saslauth:

Code:

# File: /etc/sasl2/Sendmail.conf
pwcheck_method: saslauthd 
mech_list: EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN

saslauthd is started at boot as `/usr/sbin/saslauthd -a shadow`

It's not really clear from the error message that sendmail is causing this, except I suppose that could be extrapolated from the "[service=smtp]" bit in the message.

But, if sendmail, my real question is what is causing sendmail to do this? It is apparently doing auth request for numerous bogus users (I have 2660 such errors for 581 different user IDs logged in the past 30 days). These failures are not showing in /var/log/maillog and there is no indication from which IP they are originating. If they are accessing through port 25 I would think there would be something in maillog.

I'd like to find the IP of these would-be hackers.

Habitual · 02-17-2017, 07:39 AM

Maybe its local?

Surely, ohprs.org is a clue?
Or
Ohio Highway Patrol Retirement System

Ya, I'd be digging...

Code:

zgrep ohprs.org /var/log/messages*

and if that doesn't show anything obvious (subjective, I know),
you could pastebin it and toss us the link?
It shouldn't be too sensitive and you should expire it short term, JIC
If it is not clean, or you aren't totally okay with it. Don't.

Thanks.

Habitual · 02-17-2017, 07:52 AM

http://www.mailradar.com/openrelay/

result?

mfoley · 02-17-2017, 11:12 AM

ohprs.org is our domain, this is the Ohio Highway Patrol Retirement System. I am subscribed with mxtoolbox.com which provides a similar service to your suggested mailradar.com.

Here's a possibility ...

In digging into the logfiles I noticed a one-to-one timestamp correlation between the saslauthd messages in /var/log/messages and messages in /var/log/maillog. For example, for the message shown in my OP in /var/log/messages posted at Feb 17 00:06:24, I have a time-corresponding message in /var/log/maillog:

Code:

Feb 17 00:06:24 mail sm-mta[31592]: v1H56NAR031592: [94.102.56.181] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

I'm thinking these are related. It's not a perfect one-to-one, but some of the saslauthd messages that are clustered together (within a few seconds of each other) have the message in /var/log/maillog:

Code:

Feb 13 02:44:23 mail sm-mta[28228]: v1D7iHdr028228: [222.110.153.146]: possible SMTP attack: command=AUTH, count=5

followed by a "did not issue" message, which I'm guessing means that the perpetrator can try several times within some time range or retry range (notice the "count=5" bit) before the attempt is logged in maillog.

If what I'm observing is correct, these saslauthd failures do ultimately make it to maillog, but there is no obvious correlation between the log events, other than this not-always-one-to-one timestamp correlation.

What do you think?