Home / server / Questions / 281231
In Process
xivix
Asked: 2011-06-17 11:36:00 +0800 CST

Help! Linux server under SMTP SASLAUTHD attack!

  • 772

My linux sendmail server is being forced out of commission by a flood of invalid smtp saslauthd logins.
Steady stream of PAM auth errors logged for saslauthd in messages.
I have searched and searched for a way to determine the IP so I can block it ... no luck.
The IP is not being recorded in the messages or secure logs.
Any advice would be greatly appreciated.

linux smtp saslauthd

5 Answers

    • 3

  2. You have to increase the LogLevel to 10 or more. Look in sendmail.mc or put something like define(confLOG_LEVEL',10')dnl

    This will log the IP number on auth failures.

    • 2

  3. I found there are corresponding log entries in /var/log/mail.log that do contain the IP address of the attacker and can therefore be blocked with fail2ban (at least on Ubuntu 14.04). Try searching for "SASL LOGIN authentication failed".

    • 1

  4. Sendmail logs to the LOG_MAIL facility, which is usually sent to something like /var/log/mail or /var/log/maillog, depending on your operating system. Consult your local /etc/syslog.conf for details. You may find something useful there.

    If that doesn't work, you can use the tcpdump to find out who's connecting to your system. If you run it like this:

    # tcpdump -i <interface> -n port 25

    You'll get a list of traffic on port 25, which will look something like this:

    15:41:07.974013 IP 192.168.1.20.58973 > 192.168.1.20.25: Flags [S], seq 3814195426, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 393331165 ecr 0], length 0
15:41:07.974041 IP 192.168.1.20.25 > 192.168.1.20.58973: Flags [S.], seq 538844273, ack 3814195427, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 3794784629 ecr 393331165], length 0

    That's a timestamp, then a protocol, then the source ip address, then the destination ip address. This should give you what you need.

    You could also get something similar using the netstat command:

    netstat -an | grep :25

    This should show connections on port 25 on your local system.

    There are a variety of mechanisms for either rate-limiting smtp connections per source address or blocking addresses with a high rate of authentication failures. You can use iptables for the former or something like fail2ban for the latter.

    • 0

  5. this is a bit late, but im fairly certain that saslauthd does not log the IP address because of some limitation within the saslauthd library and its implementation.

    However, as far as i know, Sendmail DOES record the IP, and you could point fail2ban at that instead, by writing a rule for Sendmail, instead of using the provided saslauthd jail.

    • 0