Yes... most of them. Just the new PITA. Anyway... I still can't seem to 
figure out how to log the IP addresses for this attack.

The system is saslauthd running as a service... sendmail and dovecot 
setup. I have log levels in sendmail set to 14. Something has to be able 
to log the offender(s).

Any ideas what I'm missing or where to look?


Lincoln Zuljewic Silva wrote:
> I supose that you are using SMTP authentication with SASL.
> >From the log "service=smtp", in fact, the attack is coming from
> the SMTP server and not directly to the SASL.
> I guess that someone is trying to do a brute force attack on the SMTP server.
> Regards
> Lincoln
> On Wed, Feb 10, 2010 at 6:08 PM, John Hinton <> wrote:
>> I'm seeing a lot of activity over the last two days with what looks to
>> be a kiddie script. Mostly trying to access several of our servers with
>> the username anna. All failed... in fact I don't think we have a user
>> anna on any of our servers. Meanwhile...
>> I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also
>> running fail2ban on some and Ossec on others. So far, no blocking is
>> being done. When I look at the logs all I find is under messages and
>> here is a sample:
>> Feb 10 05:23:08 neptune saslauthd[3370]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 05:23:25 neptune saslauthd[3369]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 05:23:58 neptune saslauthd[3370]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:53 neptune saslauthd[3370]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:54 neptune saslauthd[3368]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:55 neptune saslauthd[3370]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> Feb 10 06:56:59 neptune saslauthd[3368]: do_auth         : auth failure:
>> [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
>> So, I can't write a rule to block this attack as I can't find any IP
>> address to block. I've looked and googled til my eyes are red and can't
>> find where to set logging in saslauthd or where ever it needs to be set
>> to record the IP address generating these failures. Does anyone have an
>> idea?
>> Also, some may wish to do a grep 'do_auth' on messages to see if this is
>> happening to you. They sometimes come in rapid succession.
>> John Hinton
>> _______________________________________________
>> CentOS mailing list

CentOS mailing list

Reply via email to