Hi all : I find the maillog always show "SASL LOGIN authentication failed: UGFzc3dvcmQ6" How can I change conf file to show the failure user name Thanks
But the problem, when I go to see maillog, I don't know who is "UGFzc3dvcmQ6" this is encrypt So how can make maillog can show plain user name ?
You have to turn on verbose logging to see the details. The exact settings depend on the setup that you use. Which setup do you use on this server?
I Hi all : I'm follow the below link to setup https://www.howtoforge.com/tutorial...l-php-pureftpd-postfix-dovecot-and-ispconfig/ I think the maillog come from postfix+Dovecot, if the spammer try to hack the account, the maillog will show postfix/smtpd[5556]: warning: unknown[xx.34.55.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 My question is, how to show the user name for this SASL LOGIN authentication failed: UGFzc3dvcmQ6 E.g. how to show postfix/smtpd[5556]: warning: unknown[xx.34.55.xxx]: SASL LOGIN authentication failed for user name : [email protected] but not UGFzc3dvcmQ6 Thanks all support
Hi Michael, please edit the dovecot.conf file (should be /etc/dovecot/dovecot.conf) and add these two lines to enable verbose logging: auth_verbose = yes mail_debug = yes then restart dovecot. If you get too much verbose output, then just try auth_verbose only.
Hi all : Thanks for you help, I will try to modify dovecot, it is useful to show user name. As we can know which email account are in high risk and let me to do more step to prevent hacker try to hack password Thanks
SASL LOGIN authentication failed != hacked but it indicate some guest try to connect our smtp server to send spam email, but the password is wrong will cause postfix/smtpd[6942]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
I'm getting this message in the log now. You say it means "hacked!" Below, someone says, it indicates a failed attempt to send spam (wrong password). Question: What is the recommended action?
David, != is technical language for "does not equal", so in this case, the SASL LOGIN authentication failed message doesn't mean the account has been hacked. It simply means a wrong username / password has been used. It could be a brute-force hack attempt, but it's not getting through.
Hi Ok. this thread is a little older now, but I would recommend to configure fail2ban to handle sasl login failures.
I use fail2ban, but can't even achive to log the mentioned encoded string in postfix. I can log the sasl sql query separately, but it's not a good solution because I can't surely link the failure log to the query. my postfix just logs: postfix/smtpd[xxxx]: warning: unknown[x.x.x.x]: SASL LOGIN authentication failed: authentication failure Any solution since then?
Hi I think the following steps should help to use fail2ban: First create a file /etc/fail2ban/jail.d/postfix-sasl.conf with the following content: Code: [sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/mail.log maxretry = 5 and a second file /etc/fail2ban/filter.d/postfix-sasl.conf: Code: # Fail2Ban filter for postfix authentication failures [INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ Then just restart fail2ban: Code: systemctl restart fail2ban After that the list of banned IPs should fill up quite fast ;-) regards Bernd
I don't understand that? In your post above you have a perfectly fine log line which will be found by the posted code
and why is that a problem? this does not include the username, encrypted or otherwise, 'UGFzc3dvcmQ6' unencrypted is 'Password' all this log entry is showing you is that someone tried to log in with incorrect details, they could have used any username, the username doesn't have to (and probably doesn't actually) exist on your system. similarly, it doesn't help you even if you know what the username they're trying is, they're just trying to brute force any username they think is likely to exist. knowing they're trying to brute force [email protected] doesn't help you. what helps is knowing the ip address they're trying to do this from, and banning it if it makes repeated attempts to login, which is what the bit of fail2ban configuration posted above will do for you.
If I knew the username I could set more aggressive firewall beahvior when one IP probing different usernames. I could be sure it is not a regular user trying to login.
they'll most likely have already been banned due to too many failed logins trying different passwords for the same username. whilst basing bans on different usernames being used from the same ip runs the risk of banning legitimate users connecting to email from an office, or one user trying to access different mailboxes on different domains because they don't want them all going into one mailbox, or don't know how to have them all go into one mailbox. if you want to be more aggressive with this sort of thing, you can decrease the maxretry level, or increase the time period for maxretries can be reached, and increase the bantime for that jail. you can also create jail loops, so if an ip has been banned already today, if it gets banned again, the ban time is doubled, you can set it so if it's banned eg 3 times in a day, it gets banned for 24 hours, if it gets banned 3 times within a week, it gets banned for a week, or if it gets 5 24 hour bans within a fortnight, it gets banned for 6 months. if you turn on verbose logging, or debug logging, if you have a lot of mailusers, you're going to end up with massive log files. you could be looking at 10's of Gb's of mail logs each day. I don't know what it's like where you are, but in the uk, if you're providing an email service to customers, you're legally required to keep records of all mail transactions for at least a year.. even zipping the mail logs up, that's a lot of disk space spent on storing old log files.