SMTPAUTH attacks.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Hi,
I have seen recently a very high activity from hackers trying to hack smtp passwords accounts. I have set my firewall to block any of this type of activity and the list of IPs is growing, be careful.

Regards,
Sergio

scott · **Posted:** Fri Sep 25, 2009 8:31 am

ASL has rules for this currently

coolemail · **Posted:** Thu Jan 28, 2010 5:47 pm

I have a lot of smtp_auth failed password attempts from an IP in China.
Scott said in teh post above that there were rules which would stop this and block the IPs. Am I correct in that assumption? And if so, can I stop it?
Not sure if it could be linked but I am getting thousands of OSSEC messages in /var/log/httpd/error_log saying
child pid xxxxx exit signal Segmentation fault (11)

I think I may need mod_whatkilledus but I'm not sure how to install it, run the app and then interpret the results to see where the problem lies.

Can someone help please?

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

The segfault in the httpd log won't be related to email (unless they are trying to get in via webmail maybe?) - at least I don't think so.

I've not seen any element of ASL reporting or acting on multiple failed smtp (or FTP) attempts ... what part should do that?

coolemail · **Posted:** Fri Jan 29, 2010 4:09 am

Thanks faris,
Regarding the segfault, I'd love to know how I can try to find out what caused it.

On the maillog, I may be wrong but I read in http://www.atomicorp.com/forums/viewtop ... rute+force (first 2 posts) something which suggested to me that these IPs could be blocked. Maybe I misread that topic?

And below, Scott seemed to suggest that ASL has rules to block hackers trying to hack smtp passwords.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

I've just not seen these features at work, nor any config for them.

I use BFD (configured to use ASL to block, so that I can easily unblock via the ASL gui) but I don't really like it.

Scott/Mike .. what's the lowdown on this? Is there something in ASL acting on multiple auth failures? I'm pretty sure (but not absolutely sure) that ossec notifies me of multiple FTP failures, but I've never seen ASL block as a result. And never anything on smtp failures.

Faris.

scott · **Posted:** Fri Jan 29, 2010 9:23 am

Are you using plesk 9.3 by any chance? Looks like they changed the logging format enough to break the rules.

coolemail · **Posted:** Fri Jan 29, 2010 9:58 am

I'm using Plesk 9.2.3, with CentOS5 and ASL if that helps Scott

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

I'm not. I'm on 8.6.

I've gone back and had a look at the two most recent incidents. In both cases BFD detected the issue but there's nothing from ossec.

Faris.

SMTPAUTH attacks.

Who is online