Author Topic: LOT OF HACKING ATTEMPT LF_SMTPAUTH SASL LOGIN authentication failed  (Read 699 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Dear CWP,

Getting lot of attack from the past month itself, all attempt are from different county some of them are from the same country and we have blocked some country in the CC_DENY (CN,RU,BG,RU,BR,TR,LT,NL,TR,RO,IE,US) But some of our customers from CC_DENY list was not able to access their website. In the past month these attack was very less but in past day in was increased. As it was not possible to block all country's but you may need to tell us or implement an solution to block these type of attack on SMTP. Below i have added some of them with details please go through it and tell us an solution. Also we are not able to find out which user account they where trying to login ?

Latest:
Time:     Wed Jun 10 19:28:38 2020 +0530
IP:       193.56.28.176 (GB/United Kingdom/-)
Failures: 3 (smtpauth)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SMTPAUTH]

Log entries:

Jun 10 19:28:10 cbwh postfix/smtpd[26746]: warning: unknown[193.56.28.176]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 10 19:28:23 cbwh postfix/smtpd[26746]: warning: unknown[193.56.28.176]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 10 19:28:38 cbwh postfix/smtpd[26746]: warning: unknown[193.56.28.176]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Other

Jun 10 18:23:02 cbwh postfix/smtpd[21826]: warning: gw70.coldimport.com.pe[209.45.62.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 10 18:23:02 cbwh postfix/smtpd[21826]: warning: gw70.coldimport.com.pe[209.45.62.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 10 18:23:02 cbwh postfix/smtpd[21826]: warning: gw70.coldimport.com.pe[209.45.62.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 10 12:50:00 cbwh postfix/smtpd[14837]: warning: unknown[141.98.80.152]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 10 09:06:22 cbwh postfix/smtpd[17322]: warning: unknown[59.55.36.129]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 10 12:29:46 cbwh postfix/smtpd[12248]: warning: unknown[37.49.230.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 10 12:29:46 cbwh postfix/smtpd[12248]: warning: unknown[37.49.230.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  9 18:31:19 cbwh postfix/smtpd[28740]: warning: unknown[5.249.164.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  9 13:21:14 cbwh postfix/smtpd[27667]: warning: unknown[103.139.44.210]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Continuous Attack with different IP

Failures: 6 (smtpauth)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SMTPAUTH]

Jun  8 23:07:43 cbwh postfix/smtpd[4946]: warning: unknown[46.38.145.247]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  8 23:08:01 cbwh postfix/smtpd[3963]: warning: unknown[46.38.145.251]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  8 23:06:20 cbwh postfix/smtpd[4946]: warning: unknown[46.38.145.252]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  8 23:04:20 cbwh postfix/smtpd[3963]: warning: unknown[46.38.145.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  8 23:04:20 cbwh postfix/smtpd[3963]: warning: unknown[46.38.145.253]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  8 22:57:40 cbwh postfix/smtpd[3963]: warning: unknown[46.38.145.6]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  8 22:57:44 cbwh postfix/smtpd[4558]: warning: unknown[46.38.145.249]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  8 22:56:48 cbwh postfix/smtpd[4558]: warning: unknown[46.38.145.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  8 22:51:43 cbwh postfix/smtpd[3963]: warning: unknown[46.38.145.4]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  8 22:50:24 cbwh postfix/smtpd[3963]: warning: unknown[46.38.145.5]: SASL LOGIN authentication failed: UGFzc3dvcmQ6


Offline
*
Re: LOT OF HACKING ATTEMPT LF_SMTPAUTH SASL LOGIN authentication failed
« Reply #1 on: June 15, 2020, 04:33:51 PM »
Any one have any idea to block some country like China, Iran Etc.. iam getting continuous attack now.