Hi @aussiewarrior, that's happen to me too. You need to block those IPs, I've created a simple script to do this automatically.
Explain:
#Put the content of journalctl into a txt file (jrn.txt)
journalctl -xe > jrn.txt
#Copy all lines with the word "SASL" from the previous txt file into a new txt file (sasl.txt)
grep "SASL" jrn.txt > sasl.txt
#Count and extract all the IPs from the previous txt file into a new txt file (ip-sasl.txt)
cat sasl.txt | grep -o "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | sort -n | uniq -c | sort -n > ip-sasl.txt
#Remove the counting from the previous txt file into a new txt file (ip-csf.txt)
awk '{print $2}' ip-sasl.txt > ip-csf.txt
#Deny those IPs in CSF (Firewall)
for i in `cat ip-csf.txt`; do csf -d $i;done
#Restart CSF (Firewall)
csf -r
#Remove all the txt files
rm -f sasl.txt ip-sasl.txt jrn.txt ip-csf.txt
Works great from me. If you put all those lines into a script you can execute every 30 minutes or every hour through a cron job.
Topic: SASL LOGIN authentication failed: UGFzc3dvcmQ6 (Read 14548 times)
