Author Topic: SASL LOGIN authentication failed: UGFzc3dvcmQ6  (Read 453 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
SASL LOGIN authentication failed: UGFzc3dvcmQ6
« on: June 13, 2018, 01:52:32 AM »
Hi All,

I am getting the following regularly on my log. like every couple of minutes

Jun 13 11:44:26 host postfix/smtpd[3433]: warning: unknown[185.234.216.204]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Is there are way to stop theses? What is it created from? Is there a simple fix? IP changes all the time.

Please advise ASAP.

Offline
*
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #1 on: November 18, 2018, 07:51:43 PM »
Hi @aussiewarrior, that's happen to me too. You need to block those IPs, I've created a simple script to do this automatically.

Explain:

#Put the content of journalctl into a txt file (jrn.txt)
Code: [Select]
journalctl -xe > jrn.txt
#Copy all lines with the word "SASL" from the previous txt file into a new txt file (sasl.txt)
Code: [Select]
grep "SASL" jrn.txt > sasl.txt
#Count and extract all the IPs from the previous txt file into a new txt file (ip-sasl.txt)
Code: [Select]
cat sasl.txt | grep -o "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | sort -n | uniq -c | sort -n > ip-sasl.txt
#Remove the counting from the previous txt file into a new txt file (ip-csf.txt)
Code: [Select]
awk '{print $2}' ip-sasl.txt > ip-csf.txt
#Deny those IPs in CSF (Firewall)
Code: [Select]
for i in `cat ip-csf.txt`; do csf -d $i;done
#Restart CSF (Firewall)
Code: [Select]
csf -r
#Remove all the txt files
Code: [Select]
rm -f sasl.txt ip-sasl.txt jrn.txt ip-csf.txt

Works great from me. If you put all those lines into a script you can execute every 30 minutes or every hour through a cron job.
« Last Edit: November 18, 2018, 07:53:41 PM by AlexG »

Offline
***
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #2 on: November 28, 2018, 06:33:58 PM »
change csf.conf to permanently block after 2 failed login attempts and enable blocking for distributed failed login attempts