Hi to all and happy new coming year! From this night i'm receiving continuous attack (near 100) to my smtp server, the OSSEC not listen it to add the ip to the denyhost file and in the log no ip number attacker appear! Now I have disabled smtp and enabled smtps: #smtp inet n - - - - smtpd #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp ---------------------------- Attack log: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module Dec 27 03:50:35 lvps83 saslauthd[6120]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result. Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result. Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result. Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result. Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result. Dec 27 03:50:35 lvps83 saslauthd[6122]: pam_mysql - SELECT returned no result. Dec 27 03:50:35 lvps83 saslauthd[6122]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result. Dec 27 03:50:35 lvps83 saslauthd[6117]: pam_mysql - SELECT returned no result. Dec 27 03:50:35 lvps83 saslauthd[6117]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module Dec 27 03:50:35 lvps83 saslauthd[6117]: do_auth : auth failure: [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] How I can solve this situation? Why the log not report the remote address with the ispconfig perfect configuration? Thanks to all for the attentions. Best regards.
The above lines are from saslauthd, there must be lines from postfix as well and they contain the IP address of the attacker.
Hi Thanks. I have found in /var/log/syslog . But the attack arrive from more than 10 source ip address, why ossec non listen it and the ipaddress to the denyhost file? Thanks you. Best regards.
