2

My linux sendmail server is being forced out of commission by a flood of invalid smtp saslauthd logins.
Steady stream of PAM auth errors logged for saslauthd in messages.
I have searched and searched for a way to determine the IP so I can block it ... no luck.
The IP is not being recorded in the messages or secure logs.
Any advice would be greatly appreciated.

xivix
  • 553
  • 2
  • 8
  • 16
  • Use `netstat` to list the connection details to determine the IP addresses connecting to your SMTP port. – rthomson Jun 17 '11 at 02:53

5 Answers5

3

This might help: Blocking SMTP authentication brute force attacks using Fail2Ban

daemonofchaos
  • 1,211
  • 1
  • 8
  • 10
  • 1
    Thanks. I have checked that out several times in the past. Fail2Ban is overkill in my situation ... I have a very large iptables that I have built over many years to thwart many attacks. It would be counter-productive for another system to start overwriting or modifying that. I just need to know the IP so I can block it. Can fail2ban do that? How does fail2ban get the IP? If I could know that I could take it from there. – xivix Jun 16 '11 at 19:42
  • 1
    Fail2ban parses relevant logfiles and if it sees multiple failed connection attempts from the same address, it injects a ban rule into the firewall, and after a while lifts this ban, when the bots have given up. – Sven Jun 16 '11 at 19:55
  • 3
    fail2ban isn't overkill -- it's pretty much exactly what you want in a mostly-automated package... – voretaq7 Jun 16 '11 at 19:59
  • @xivix clearly fail2ban isn't overkill in this situation it's exactly the tool you want. Fail2Ban creates it's own table that it then manages. It does not interfere with your current settings beyond that. – user9517 Jun 16 '11 at 20:02
  • thanks ... I did some research and from what I can tell fail2ban reads logs and the logs need to have the IP in them somewhere. The problem with saslauthd and pam authentication is that they don't log IPs for failed authentication. So fail2ban won't have any data. – xivix Jun 17 '11 at 01:54
  • Your /var/log/mail.log should contain the IP address of any attempted connections, which is what Fail2Ban will work off as the article displays. – daemonofchaos Jun 17 '11 at 14:35
  • saslauthd pam failed authentication attempts never make it to maillog. I have looked in maillog, messages, secure, and auth logs ... no IP to be found :( ... I see much frustration during research ... seems saslauthd was designed to be exploited – xivix Jun 17 '11 at 17:51
  • I see failed saslauthd records in /var/log/maillog like this: Aug 14 10:20:57 p4161854 postfix/smtpd[18993]: warning: unknown[88.212.188.65]: SASL LOGIN authentication failed: authentication failure – Charles Roth Aug 14 '16 at 14:25
2

You have to increase the LogLevel to 10 or more. Look in sendmail.mc or put something like define(confLOG_LEVEL',10')dnl

This will log the IP number on auth failures.

Gabriel
  • 21
  • 1
1

I found there are corresponding log entries in /var/log/mail.log that do contain the IP address of the attacker and can therefore be blocked with fail2ban (at least on Ubuntu 14.04). Try searching for "SASL LOGIN authentication failed".

Phil McKerracher
  • 346
  • 1
  • 6
0

Sendmail logs to the LOG_MAIL facility, which is usually sent to something like /var/log/mail or /var/log/maillog, depending on your operating system. Consult your local /etc/syslog.conf for details. You may find something useful there.

If that doesn't work, you can use the tcpdump to find out who's connecting to your system. If you run it like this:

# tcpdump -i <interface> -n port 25

You'll get a list of traffic on port 25, which will look something like this:

15:41:07.974013 IP 192.168.1.20.58973 > 192.168.1.20.25: Flags [S], seq 3814195426, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 393331165 ecr 0], length 0
15:41:07.974041 IP 192.168.1.20.25 > 192.168.1.20.58973: Flags [S.], seq 538844273, ack 3814195427, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 3794784629 ecr 393331165], length 0

That's a timestamp, then a protocol, then the source ip address, then the destination ip address. This should give you what you need.

You could also get something similar using the netstat command:

netstat -an | grep :25

This should show connections on port 25 on your local system.

There are a variety of mechanisms for either rate-limiting smtp connections per source address or blocking addresses with a high rate of authentication failures. You can use iptables for the former or something like fail2ban for the latter.

larsks
  • 43,623
  • 14
  • 121
  • 180
  • Thanks ... the tcpdump does help ... but I have thousands of users on this server all mixed in with the attacker ... how do I associate an attacker IP with an invalid login? – xivix Jun 16 '11 at 19:51
  • Did you your maillog have useful information? If you're really getting hammered by a remote system (or systems) you should be able to identify them based on traffic. A tool like `iptraf` would help with this. If you're using unencrypted smtp (yikes!) you could inspect the packet data to see which systems are logging in. You can probably configure sendmail to provide better logging in the event of authentication failures, but I'm not sure off the top of my head. – larsks Jun 16 '11 at 20:02
  • iptraf looks great too ... please tell me how to do as you suggest (inspect packet data to see which systems are logging in) as I have never used it and am in emergency mode at the moment. I also tried iptables connection limiting and it doesn't even slow it down: iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 10 --hitcount 8 -j DROP Also did port 587. – xivix Jun 16 '11 at 20:15
0

this is a bit late, but im fairly certain that saslauthd does not log the IP address because of some limitation within the saslauthd library and its implementation.

However, as far as i know, Sendmail DOES record the IP, and you could point fail2ban at that instead, by writing a rule for Sendmail, instead of using the provided saslauthd jail.

RapidWebs
  • 571
  • 4
  • 13