Control Web Panel
WebPanel => E-Mail => Topic started by: aussiewarrior on June 13, 2018, 01:52:32 AM
-
Hi All,
I am getting the following regularly on my log. like every couple of minutes
Jun 13 11:44:26 host postfix/smtpd[3433]: warning: unknown[185.234.216.204]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Is there are way to stop theses? What is it created from? Is there a simple fix? IP changes all the time.
Please advise ASAP.
-
Hi @aussiewarrior, that's happen to me too. You need to block those IPs, I've created a simple script to do this automatically.
Explain:
#Put the content of journalctl into a txt file (jrn.txt)
journalctl -xe > jrn.txt
#Copy all lines with the word "SASL" from the previous txt file into a new txt file (sasl.txt)
grep "SASL" jrn.txt > sasl.txt
#Count and extract all the IPs from the previous txt file into a new txt file (ip-sasl.txt)
cat sasl.txt | grep -o "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | sort -n | uniq -c | sort -n > ip-sasl.txt
#Remove the counting from the previous txt file into a new txt file (ip-csf.txt)
awk '{print $2}' ip-sasl.txt > ip-csf.txt
#Deny those IPs in CSF (Firewall)
for i in `cat ip-csf.txt`; do csf -d $i;done
#Restart CSF (Firewall)
csf -r
#Remove all the txt files
rm -f sasl.txt ip-sasl.txt jrn.txt ip-csf.txt
Works great from me. If you put all those lines into a script you can execute every 30 minutes or every hour through a cron job.
-
change csf.conf to permanently block after 2 failed login attempts and enable blocking for distributed failed login attempts
-
Glenn, what should i modify?
change csf.conf to permanently block after 2 failed login attempts and enable blocking for distributed failed login attempts
thanks
-
try this
# - Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "3"
LF_SMTPAUTH_PERM = "1"
# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTATTACK
LF_DISTATTACK_UNIQ = "3"
# To disable set to "0"
LF_DISTSMTP = "1"
# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ = "3"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_DISTSMTP_PERM = "1"
# Send an email alert if LF_DISTSMTP is triggered
LF_DISTSMTP_ALERT = "0"
# This is the interval during which a distributed FTP or SMTP attack is
# measured
LF_DIST_INTERVAL = "300"