Author Topic: SASL LOGIN authentication failed: UGFzc3dvcmQ6  (Read 11066 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
SASL LOGIN authentication failed: UGFzc3dvcmQ6
« on: February 28, 2022, 02:29:00 AM »
maillog keeps recording the following errors, the maillog file has exceeded 50M, I found that 5.34.207.56 and 5.34.205.98 are located in Iran, obviously, my server is under attack
I tried to block these two IPs According to https://wiki.centos-webpanel.com/postfix-blacklist-domain-or-ip, I created sender_blacklist, and executed postmap /etc/postfix/sender_blacklist, but the maillog continues to recording these errors

How to fix it?

Feb 28 02:20:05 postfix/smtpd[19178]: connect from unknown[5.34.207.56]
Feb 28 02:20:05 postfix/smtpd[18173]: disconnect from unknown[5.34.207.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 28 02:20:06 postfix/smtpd[15770]: warning: unknown[5.34.205.98]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 28 02:20:06 postfix/smtpd[15770]: disconnect from unknown[5.34.205.98] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 28 02:20:08 postfix/smtpd[18548]: connect from unknown[5.34.205.98]
Feb 28 02:20:10 postfix/smtpd[18173]: connect from unknown[5.34.207.56]
Feb 28 02:20:11 postfix/smtpd[17156]: warning: unknown[5.34.207.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 28 02:20:11 postfix/smtpd[17156]: disconnect from unknown[5.34.207.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 28 02:20:14 postfix/smtpd[19184]: warning: unknown[5.34.207.56]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 28 02:20:14 postfix/smtpd[17156]: connect from unknown[5.34.207.56]
Feb 28 02:20:15 postfix/smtpd[19184]: disconnect from unknown[5.34.207.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 28 02:20:18 postfix/smtpd[19178]: warning: unknown[5.34.207.56]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 28 02:20:19 postfix/smtpd[19178]: disconnect from unknown[5.34.207.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 28 02:20:19 postfix/smtpd[19184]: connect from unknown[5.34.207.56]
Feb 28 02:20:23 postfix/smtpd[18173]: warning: unknown[5.34.207.56]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 28 02:20:24 postfix/smtpd[19178]: connect from unknown[5.34.207.56]
Feb 28 02:20:24 postfix/smtpd[18173]: disconnect from unknown[5.34.207.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

Offline
****
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #1 on: February 28, 2022, 03:50:31 AM »
Welcome to owning a server.   Use CSF firewall to block the two ip's.  Setup automatic blocks on 4-5 failed logins.
Google Hangouts:  rcschaff82@gmail.com

Offline
*
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
***
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #3 on: February 28, 2022, 11:43:04 PM »
Now that you know that this is what happens when owning a mail server, the next piece of information is that Fail2ban easily bans such attempts.
As an example, since Nov.2020 and until now, my server has banned around 350 IPs just for this specific attempt.

Offline
*
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #4 on: August 26, 2022, 12:58:47 AM »
Thank you very much @rcschaff,

Your suggestion very helpfull.
I am in this bad situation for months, lastly I found your best suggestion.
Thanks again.

Welcome to owning a server.   Use CSF firewall to block the two ip's.  Setup automatic blocks on 4-5 failed logins.

Offline
*
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6
« Reply #5 on: June 29, 2023, 01:18:01 PM »
Can you tell me how you applied it?


Thank you very much @rcschaff,

Your suggestion very helpfull.
I am in this bad situation for months, lastly I found your best suggestion.
Thanks again.

Welcome to owning a server.   Use CSF firewall to block the two ip's.  Setup automatic blocks on 4-5 failed logins.