Author Topic: SASL LOGIN authentication failed: UGFzc3dvcmQ6  (Read 14059 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
SASL LOGIN authentication failed: UGFzc3dvcmQ6
« on: June 13, 2018, 01:52:32 AM »
Hi All,

I am getting the following regularly on my log. like every couple of minutes

Jun 13 11:44:26 host postfix/smtpd[3433]: warning: unknown[185.234.216.204]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Is there are way to stop theses? What is it created from? Is there a simple fix? IP changes all the time.

Please advise ASAP.

Offline
*
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #1 on: November 18, 2018, 07:51:43 PM »
Hi @aussiewarrior, that's happen to me too. You need to block those IPs, I've created a simple script to do this automatically.

Explain:

#Put the content of journalctl into a txt file (jrn.txt)
Code: [Select]
journalctl -xe > jrn.txt
#Copy all lines with the word "SASL" from the previous txt file into a new txt file (sasl.txt)
Code: [Select]
grep "SASL" jrn.txt > sasl.txt
#Count and extract all the IPs from the previous txt file into a new txt file (ip-sasl.txt)
Code: [Select]
cat sasl.txt | grep -o "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | sort -n | uniq -c | sort -n > ip-sasl.txt
#Remove the counting from the previous txt file into a new txt file (ip-csf.txt)
Code: [Select]
awk '{print $2}' ip-sasl.txt > ip-csf.txt
#Deny those IPs in CSF (Firewall)
Code: [Select]
for i in `cat ip-csf.txt`; do csf -d $i;done
#Restart CSF (Firewall)
Code: [Select]
csf -r
#Remove all the txt files
Code: [Select]
rm -f sasl.txt ip-sasl.txt jrn.txt ip-csf.txt

Works great from me. If you put all those lines into a script you can execute every 30 minutes or every hour through a cron job.
« Last Edit: November 18, 2018, 07:53:41 PM by AlexG »

Offline
**
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #2 on: November 28, 2018, 06:33:58 PM »
change csf.conf to permanently block after 2 failed login attempts and enable blocking for distributed failed login attempts

Offline
*
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #3 on: October 04, 2019, 07:38:37 PM »
Glenn, what should i modify?
change csf.conf to permanently block after 2 failed login attempts and enable blocking for distributed failed login attempts
thanks

Offline
**
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #4 on: October 05, 2019, 01:40:30 PM »
try this

#
  • Enable login failure detection of SMTP AUTH connections

LF_SMTPAUTH = "3"
LF_SMTPAUTH_PERM = "1"

# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTATTACK
LF_DISTATTACK_UNIQ = "3"

# To disable set to "0"
LF_DISTSMTP = "1"

# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ = "3"

# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_DISTSMTP_PERM = "1"

# Send an email alert if LF_DISTSMTP is triggered
LF_DISTSMTP_ALERT = "0"

# This is the interval during which a distributed FTP or SMTP attack is
# measured
LF_DIST_INTERVAL = "300"