Author Topic: SASL LOGIN authentication failed: UGFzc3dvcmQ6 hk.  (Read 2163 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
SASL LOGIN authentication failed: UGFzc3dvcmQ6 hk.
« on: June 29, 2023, 09:06:07 AM »
Code: [Select]
Jun 29 11:55:41 mailserver postfix/smtpd[9106]: connect from unknown[80.94.95.184]
Jun 29 11:55:48 mailserver postfix/smtpd[9106]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:55:49 mailserver postfix/smtpd[9106]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:56:00 mailserver postfix/smtpd[10595]: connect from unknown[80.94.95.184]
Jun 29 11:56:07 mailserver postfix/smtpd[10595]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:56:08 mailserver postfix/smtpd[10595]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:56:19 mailserver postfix/smtpd[9106]: connect from unknown[80.94.95.184]
Jun 29 11:56:26 mailserver postfix/smtpd[9106]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:56:26 mailserver postfix/smtpd[9106]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:56:38 mailserver postfix/smtpd[10595]: connect from unknown[80.94.95.184]
Jun 29 11:56:45 mailserver postfix/smtpd[10595]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:56:45 mailserver postfix/smtpd[10595]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:56:57 mailserver postfix/smtpd[9106]: connect from unknown[80.94.95.184]
Jun 29 11:57:04 mailserver postfix/smtpd[9106]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:57:04 mailserver postfix/smtpd[9106]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:57:17 mailserver postfix/smtpd[10595]: connect from unknown[80.94.95.184]
Jun 29 11:57:23 mailserver postfix/smtpd[10595]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:57:23 mailserver postfix/smtpd[10595]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:57:36 mailserver postfix/smtpd[9106]: connect from unknown[80.94.95.184]
Jun 29 11:57:42 mailserver postfix/smtpd[9106]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:57:43 mailserver postfix/smtpd[10595]: connect from unknown[141.98.10.26]
Jun 29 11:57:43 mailserver postfix/smtpd[9106]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:57:46 mailserver postfix/anvil[1724]: statistics: max connection rate 40/3600s for (smtp:80.94.95.184) at Jun 29 11:57:36
Jun 29 11:57:46 mailserver postfix/anvil[1724]: statistics: max connection count 1 for (smtp:80.94.95.184) at Jun 29 11:47:59
Jun 29 11:57:48 mailserver postfix/smtpd[10595]: warning: unknown[141.98.10.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:57:48 mailserver postfix/smtpd[10595]: disconnect from unknown[141.98.10.26] ehlo=1 auth=0/1 quit=1 commands=2/3
Jun 29 11:57:55 mailserver postfix/smtpd[9106]: connect from unknown[80.94.95.184]
Jun 29 11:57:59 mailserver postfix/smtpd[9106]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:58:00 mailserver postfix/smtpd[9106]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:58:14 mailserver postfix/smtpd[10595]: connect from unknown[80.94.95.184]
Jun 29 11:58:20 mailserver postfix/smtpd[10595]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:58:20 mailserver postfix/smtpd[10595]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:58:33 mailserver postfix/smtpd[9106]: connect from unknown[80.94.95.184]
Jun 29 11:58:37 mailserver postfix/smtpd[9106]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:58:37 mailserver postfix/smtpd[9106]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:58:52 mailserver postfix/smtpd[10595]: connect from unknown[80.94.95.184]
Jun 29 11:58:58 mailserver postfix/smtpd[10595]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:58:58 mailserver postfix/smtpd[10595]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 29 11:59:11 mailserver postfix/smtpd[9106]: connect from unknown[80.94.95.184]
Jun 29 11:59:18 mailserver postfix/smtpd[9106]: warning: unknown[80.94.95.184]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun 29 11:59:19 mailserver postfix/smtpd[9106]: disconnect from unknown[80.94.95.184] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

CWP panel screenshot firewall https://i.ibb.co/gj8L2Fq/mails.png

Hello,

I've looked at the same threads on the forum. But my problem is this. If you pay attention to the logs, the same IP is always trying to establish a connection. Firewall active, banned in csf.conf in 2 attempts. But it doesn't ban, where am I going wrong

Offline
****
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6 hk.
« Reply #1 on: June 29, 2023, 01:56:50 PM »
You will find that banning after 2 attempts will lock out your own customers who enter their password incorrectly and then the client auto-retries periodically. In my CSF config, I have a much higher threshold for POP, IMAP, and SMTP AUTH failures -- 10 or 25. Especially given the default checking frequency (5 mins) for Thunderbird, I have had numerous clients lock themselves out with firewall bans in just the space of an hour or less. Now I have to unblock clients far less frequently with a higher threshold.

Offline
*
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6 hk.
« Reply #2 on: June 29, 2023, 06:43:03 PM »

http://forum.centos-webpanel.com/index.php?topic=3329.msg11702#msg11702
 I applied the following codes and it started working..

I applied the following codes and it started working.

But what I want to ask now is that it temporarily blocks it. How can we do it to be automatically added into Blacklist configuration

Offline
****
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6 hk.
« Reply #3 on: June 30, 2023, 04:41:25 AM »
Take a look at country code blocking. I block the 5 biggest spam sending sources -- none of my clients do business with these countries: RU, CN, KP, NG, {Bulgaria, Poland, Brazil have also been big culprits on my servers, but it tends to come in waves}. There is a case to allow for China due to Alibaba allowing direct vendor contact with potential customers -- if that's something your clients engage in.

The IP in your example resolves to GB, so that may be from a botnet or it may be a legit hacking attempt from GB, which I have seen on my servers. I just can't block a huge swath of Europe, due to my clients communicating with people there and potential site visitors from there.

Offline
*
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6 hk.
« Reply #4 on: June 30, 2023, 09:00:45 AM »
Take a look at country code blocking. I block the 5 biggest spam sending sources -- none of my clients do business with these countries: RU, CN, KP, NG, {Bulgaria, Poland, Brazil have also been big culprits on my servers, but it tends to come in waves}. There is a case to allow for China due to Alibaba allowing direct vendor contact with potential customers -- if that's something your clients engage in.

The IP in your example resolves to GB, so that may be from a botnet or it may be a legit hacking attempt from GB, which I have seen on my servers. I just can't block a huge swath of Europe, due to my clients communicating with people there and potential site visitors from there.


Could you share your multi-country blocking code? I guess it will be added in main.cf or master.cf?

Offline
****
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6 hk.
« Reply #5 on: June 30, 2023, 01:30:31 PM »
This is done vis CSF, not directly in postfix. In /etc/csf/csf.conf
Code: [Select]
CC_DENY = "CN,KP,RU,NG"To increase the LFD lockout limits on IMAP, POP, and SMTP:
Code: [Select]
# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "20"
LF_SMTPAUTH_PERM = "1"

# [*]Enable login failure detection of pop3 connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "25"
LF_POP3D_PERM = "1"

# [*]Enable login failure detection of imap connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "25"
LF_IMAPD_PERM = "1"

And you were looking for this directive for permanent blocking:
Code: [Select]
###############################################################################
# SECTION:Temp to Perm/Netblock Settings
###############################################################################
# Temporary to Permanent IP blocking. The following enables this feature to
# permanently block IP addresses that have been temporarily blocked more than
# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
# LF_PERMBLOCK  to "1" to enable this feature
#
# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
# (TTL) for blocked IPs, to be effective
#
# Set LF_PERMBLOCK to "0" to disable this feature
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_PERMBLOCK_ALERT = "1"

Also consider setting up postscreen for postfix, as it will help "screen" your SMTP connections and stop junk connections right at the gate:
https://www.awsmonster.com/how-to-secure-postfixdovecot-on-cwp

And while you're there, do a little more light reading:
https://www.awsmonster.com/postfix-tuning-guide

Offline
*
Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6 hk.
« Reply #6 on: July 01, 2023, 06:52:40 AM »
Thank you very much for the help. This country blocking is beautiful. But there is a problem. When I block US, mails sent from gmail do not come. What do you do for such situations?

Offline
****
How to Whitelist a hostname in CSF
« Reply #7 on: July 03, 2023, 03:04:40 AM »
You may find it necessary to whitelist a hostname as opposed to an IP address in CSF. CSF has a file specifically for allowing hostnames called "csf.dyndns". Fully Qualified Domain Names (FQDN) are checked at a configurable interval of seconds, to poll for a change in the IP address.

To whitelist a hostname:
1) Open/create the file "/etc/csf/csf.dyndns" and add the hostname.
2) Open the file "/etc/csf/csf.conf" and set: DYNDNS = "1800" (which would check for IP updates every 30 minutes).
Note: If you want the activity of the IP also ignored, set DYNDNS_IGNORE = "1"
3) Restart the firewall (csf -r)

The hostnames in csf.dyndns will automatically be allowed and the rules will refresh every 30 minutes.