Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

Brute force SMTP attack right now *help*

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Brute force SMTP attack right now *help*
# 1  
Old 11-26-2008
Brute force SMTP attack right now *help*
Im currently experiancing a brute force attack on my server

Code:
Nov 26 15:27:04 ws096 saslauthd[7071]: do_auth         : auth failure: [user=mouse] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Nov 26 15:27:13 ws096 saslauthd[7071]: do_auth         : auth failure: [user=nathan] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Nov 26 15:27:22 ws096 saslauthd[7072]: do_auth         : auth failure: [user=nissan] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Nov 26 15:27:29 ws096 PAM_pwdb[30322]: check pass; user unknown
Nov 26 15:27:31 ws096 saslauthd[7072]: do_auth         : auth failure: [user=rebecca] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Nov 26 15:27:39 ws096 saslauthd[7072]: do_auth         : auth failure: [user=shalom] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Nov 26 15:27:48 ws096 saslauthd[7072]: do_auth         : auth failure: [user=smile] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Nov 26 15:27:57 ws096 saslauthd[7072]: do_auth         : auth failure: [user=sparky] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
Nov 26 15:28:01 ws096 PAM_pwdb[30542]: (dovecot) session opened for user jlymburner by (uid=0)

How do i stop this? I cant find the ip the attack is coming from
Its on a CentOS 4.x box

Thanks!
# 2  
Old 11-26-2008
You cant?

netstat -na

lsof -i
# 3  
Old 11-26-2008
ok i tried netsat -na but what am i looking for?
# 4  
Old 11-26-2008
netstat -na | grep 587

This should tell you all connections on the saslauthd. If they are the same ip address you can just block it. If they are different you might have to make a script or something to block them.
# 5  
Old 11-30-2008
You can try to install denyhosts.
The tool check the auth.log and drop the session from the source IP.
If the source IP tried more then 3 failed login.
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Emergency UNIX and Linux Support

DDOS attack please help!

Dear community, my site was recently attacjed by DDOS technique and goes down in a few minutes. My site runs under Debian/Apache2/Mysql. I identified the IPs who attack me and block it through iptable firewall from debian. Something like: iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP This... (7 Replies)
Discussion started by: Lord Spectre
7 Replies

2. Shell Programming and Scripting

Expect script that simulates a SSH brute force attack

I want to test the effectiveness of sshguard on some of my systems so I'm trying to write a script that simulates a brute force attack by sending a bunch of different username and password combinations to the servers being tested. So far I have this: #!/usr/local/bin/expect set timeout 3... (5 Replies)
Discussion started by: ph0enix
5 Replies

3. Cybersecurity

DDoS and brute force attack

How to protect DDoS and brute force attack. I want to secure my server and block attacker. (1 Reply)
Discussion started by: romanepo
1 Replies

4. Cybersecurity

UUCP attack?

Is this an attack attempt? I got an e-mail from 'uucp Admin' last night and again this morning: What does it mean and what can I do about it? Thanks (4 Replies)
Discussion started by: ctafret
4 Replies

5. Cybersecurity

Network attack - so what?

In my logs I find entries about attacks on my system. I know IP addresses, I know date and time and I know what they tried to do. So what's the best I can do now? Tell everybody that there are cybercriminals on that network? Write an email to their admin? Anything else? (10 Replies)
Discussion started by: Action
10 Replies

6. Cybersecurity

Found attack from

Hi, I have a belkin router installed and a look at the security log has got me worried a little bit. Security log: Fri Jan 29 20:41:46 2010 =>Found attack from 68.147.232.199. Source port is 58591 and destination port is 12426 which use the TCP protocol. Fri Jan 29 20:41:46 2010 ... (1 Reply)
Discussion started by: jld
1 Replies

7. Cybersecurity

What I think is a DoS attack

About 3 days ago our Apache logs started filling with the following errors: mod_ssl: SSL handshake failed (server <weberver>:443, client 41.235.234.172) (OpenSSL library error follows) OpenSSL: error:1408A0B7:SSL routines:SSL3_GET_CLIENT_HELLO:no ciphers specified These initially were... (1 Reply)
Discussion started by: ccj4467
1 Replies

8. UNIX for Advanced & Expert Users

Apache brute force attack

Hi, I'm trying find out if there is a way to stop a brute force attack on a Webmail site. I'm trying to setup a webmail access, but I would like to prevent too many invalid logins from the same IP. I've looked into Snort, but I was wondering if there was an application level firewall that can... (1 Reply)
Discussion started by: nitin
1 Replies
Login or Register to Ask a Question