On Wed, 2010-02-10 at 22:33 -0500, John Hinton wrote:
Yes... most of them. Just the new PITA. Anyway... I still can't seem to
figure out how to log the IP addresses for this attack.
The system is saslauthd running as a service... sendmail and dovecot
setup. I have log levels in sendmail
I supose that you are using SMTP authentication with SASL.
From the log service=smtp...so, in fact, the attack is coming from
the SMTP server and not directly to the SASL.
I guess that someone is trying to do a brute force attack on the SMTP server.
Regards
Lincoln
On Wed, Feb 10, 2010 at 6:08
Yes... most of them. Just the new PITA. Anyway... I still can't seem to
figure out how to log the IP addresses for this attack.
The system is saslauthd running as a service... sendmail and dovecot
setup. I have log levels in sendmail set to 14. Something has to be able
to log the offender(s).
Perhaps you can use netstat to identify who is currently connected to
the machine. Then run it several times over a short period and block
the most likely culprits ?
John Hinton wrote:
Yes... most of them. Just the new PITA. Anyway... I still can't seem to
figure out how to log the IP
John Hinton wrote:
Yes... most of them. Just the new PITA. Anyway... I still can't seem to
figure out how to log the IP addresses for this attack.
I'd use iptables to log connections on that port and then time-correlate
with the log entries from saslauthd.
Best,
--- Les Bell
I am running IPTraf and have one offender... not a problem to find the
address by hand, but I know these things grow. Years ago it was ssh...
they are still trying. Then FTP... then smtp... but I have not before
seen one like this where I can't find it logged... and I want to put
into place
On Wed, 2010-02-10 at 15:08 -0500, John Hinton wrote:
I'm seeing a lot of activity over the last two days with what looks to
be a kiddie script. Mostly trying to access several of our servers with
the username anna. All failed... in fact I don't think we have a user
anna on any of our
Alexander Dalloz wrote:
First you will have to configure Postfix through main.cf:
...
Next you have to make the link between Postfix and Cyrus-SASL in
/usr/lib{64}/sasl2/smtpd.conf:
...
You are done.
Yes I am! :-)
In fact, I DID all the above (with more or less variants), but I was
Michael Kress wrote:
2) saslpasswd2 -c -a mail -u mail testuser
That's a typo - the user is testomat.
But, with the same result. :-(
3) testsaslauthd -u testomat -p mypassword -s smtp -r mail
shell output of testsaslauthd:
0: NO authentication failed
Michael Kress wrote on Wed, 26 Aug 2009 07:50:33 +0200:
I don't know what's going on - it seems that testsaslauthd doesn't
lookup the user 'testomat' in /etc/sasldb2
Should it really do that with auth-mech=shadow?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet
Hi,
Kai Schaetzl wrote:
I don't know what's going on - it seems that testsaslauthd doesn't
lookup the user 'testomat' in /etc/sasldb2
Should it really do that with auth-mech=shadow?
oh, I forgot to mention - of course I already tried that one:
saslauthd -d -a pam -O
Michael Kress wrote on Wed, 26 Aug 2009 11:13:34 +0200 (CEST):
oh, I forgot to mention - of course I already tried that one:
saslauthd -d -a pam -O /usr/lib64/sasl2/smtpd.conf -r -l
I may be wrong, but I would think that this still won't work. If you use
pam or shadow saslauth should use
Michael Kress wrote:
2) saslpasswd2 -c -a mail -u mail testuser
That's a typo - the user is testomat.
But, with the same result. :-(
3) testsaslauthd -u testomat -p mypassword -s smtp -r mail
shell output of testsaslauthd:
0: NO authentication failed
You are mixing things. saslauthd
Hi,
Alexander Dalloz wrote:
2) saslpasswd2 -c -a mail -u mail testuser
That's a typo - the user is testomat.
But, with the same result. :-(
3) testsaslauthd -u testomat -p mypassword -s smtp -r mail
shell output of testsaslauthd:
0: NO authentication failed
You are mixing things.
Kai Schaetzl schrieb:
If it doesn't matter which POP/IMAP server you use I would recommend going
with Dovecot.
The purpose for using /etc/sasldb2 is to use SMTP AUTH. (See my other
posting).
Regards
Michael
___
CentOS mailing list
CentOS@centos.org
Hi,
Alexander Dalloz wrote:
[ ... ]
You are mixing things. saslauthd and sasldb are exclusive: either use
one
or the other (at least on CentOS).
ok - I think we're coming closer to the point.
It will certainly be sasldb2, because I have an old machine with SMTP AUTH
users who are
Michael Kress wrote on Wed, 26 Aug 2009 14:07:44 +0200 (CEST):
The purpose for using /etc/sasldb2 is to use SMTP AUTH.
I know (that's always the purpose), but it wasn't clear if you *have* to
use the sasldb2. As I said you can't use authentication schemes against
system accounts if you want
Michael Kress wrote on Wed, 26 Aug 2009 14:07:44 +0200 (CEST):
The purpose for using /etc/sasldb2 is to use SMTP AUTH.
I know (that's always the purpose), but it wasn't clear if you *have* to
use the sasldb2. As I said you can't use authentication schemes against
system accounts if you want
On Wed, 2009-08-26 at 14:07 +0200, Michael Kress wrote:
Kai Schaetzl schrieb:
If it doesn't matter which POP/IMAP server you use I would recommend going
with Dovecot.
The purpose for using /etc/sasldb2 is to use SMTP AUTH. (See my other
posting).
Dovecot can be used for incoming SMTP
Alexander Dalloz wrote:
First you will have to configure Postfix through main.cf:
...
Next you have to make the link between Postfix and Cyrus-SASL in
/usr/lib{64}/sasl2/smtpd.conf:
...
You are done.
Yes I am! :-)
In fact, I DID all the above (with more or less variants), but I was
Swilting wrote on Fri, 26 Dec 2008 11:58:05 +0100:
I have to try to change the option pam present in the file
in plain login
but after impossible to restart
This is wrong. You probably edited MECH=
This sets the method for checking the password not the SASL encryption
method. You
Bazooka Joe wrote:
I just took my first cent server into production and now saslauthd
keep crashing after brute force attack.
I found a bug report so this has already been reported but not fixed.
http://bugs.centos.org/print_bug_page.php?bug_id=2860
I assume this has to be a large problem for
Bazooka Joe wrote:
Has anyone found a work around for this bug?
Doesn't seem like it -
https://bugzilla.redhat.com/show_bug.cgi?id=433583
nate
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Bazooka Joe wrote on Tue, 25 Nov 2008 09:24:26 -0800:
saslauthd
you can use dovecot auth with postfix.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
___
CentOS mailing list
Bernd Bartmann wrote:
/var/log/maillog:
AUTH failure (LOGIN): authentication failure (-13) SASL(-13):
authentication failure: checkpass failed
/var/log/messages:
saslauthd[3665]: do_auth : auth failure: [user=username]
[service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Does someone
On Sun, May 25, 2008 at 11:42 AM, Ian Blackwell wrote:
Bernd Bartmann wrote:
/var/log/maillog:
AUTH failure (LOGIN): authentication failure (-13) SASL(-13):
authentication failure: checkpass failed
/var/log/messages:
saslauthd[3665]: do_auth : auth failure: [user=username]
Bernd Bartmann wrote:
Thanks Ian. That's indeed the reason. service saslauthd status gives
saslauthd dead but subsys locked. Now, what could be the reason why
saslauthd was not running any more?
cu,
Bernd.
___
CentOS mailing list
CentOS@centos.org
On Sun, May 25, 2008 at 2:42 PM, Ian Blackwell wrote:
Bernd Bartmann wrote:
Thanks Ian. That's indeed the reason. service saslauthd status gives
saslauthd dead but subsys locked. Now, what could be the reason why
saslauthd was not running any more?
Hard to say without seeing the logs. Does
Bernd Bartmann wrote:
It did start without any problems. Looks like I found the cause. From
the logs I see that someone tried a brute force attach on the SMTP
relay with several username / password combinations. Then one of the
attempts lead to a segfault of saslauth. Which probably means that
29 matches
Mail list logo