boricua wrote:
> René Berber wrote ..
>> No regex, sendmail's log doesn't show IP or user for this kind of
>> attacks, so DennyHosts wouldn't be able to use that log... at least that
>> is what I see in Solaris, is it different elsewhere?
>
> postfix does
>
> postfix does
> Jan 27 06:09:16 pepino postfix/smtpd[30911]: NOQUEUE: reject: RCPT from
> unknown[75.126.9.99]: 550 5.1.1 <[EMAIL PROTECTED]
That's not a smtp auth attack.
What this thread is about is something that in sendmail's log look like
this:
Jan 30 07:54:11 sunfire sendmail[1832]: [ID 801593 mail.info]
m0UDs4HK001832: [222.183.161.244]: possible SMTP attack: command=AUTH,
count=2
Jan 30 07:55:25 sunfire sendmail[1832]: [ID 801593 mail.info]
m0UDs4HK001832: [222.183.161.244] did not issue MAIL/EXPN/VRFY/ETRN
during connection to MTA-v4
And in sasl's log (authlog on Solaris) looks like this:
Jan 30 07:54:11 sunfire saslauthd[393]: [ID 285309 auth.info] do_auth
: auth failure: [user=12345] [service=smtp] [realm=]
[mech=shadow] reason=Unknown]
Jan 30 07:54:13 sunfire saslauthd[394]: [ID 285309 auth.info] do_auth
: auth failure: [user=12345] [service=smtp] [realm=]
[mech=shadow] reason=Unknown]
Jan 30 07:54:18 sunfire saslauthd[395]: [ID 285309 auth.info] do_auth
: auth failure: [user=12345] [service=smtp] [realm=]
[mech=shadow] reason=Unknown]
Jan 30 07:54:25 sunfire saslauthd[390]: [ID 285309 auth.error]
do_request : NULL password received
Jan 30 07:54:34 sunfire saslauthd[392]: [ID 285309 auth.info] do_auth
: auth failure: [user=12345] [service=smtp] [realm=] [mech=shadow]
reason=Unknown]
Jan 30 07:54:52 sunfire saslauthd[393]: [ID 285309 auth.info] do_auth
: auth failure: [user=12345] [service=smtp] [realm=] [mech=shadow]
reason=Unknown]
So, I was wrong, the IP is there. Also notice that sendmail only
outputs one message, with a count of how many failures... and it doesn't
output anything after that (it doesn't count all failures).
Anyway, following the same procedure shown recently for vsftpd, it is
possible to catch these.
Something like (including vsftpd):
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:|sendmail.*:)
(?P<message>.*)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.*
rhost=(?P<host>\S+)\s+user=(?P<user>\S+).*
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* rhost=(?P<host>\S+).*
USERDEF_FAILED_ENTRY_REGEX=\[(?P<host>\S+)\]: possible SMTP attack:.*
Of course this would only work if the count threshold in DenyHosts is 1,
which is kind of restrictive for sshd and vsftpd... more tweaking is needed.
--
René Berber
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
