Hi,
I got this message in the logwatch sent to root:
Client quit before communicating: 222.183.141.253 : 1 Time(s)
**Unmatched Entries** [222.183.141.253]: possible SMTP attack: command=AUTH, count=6: 1 Time(s)
What does it mean? How can I protect my server against SMTP attacks?
Thank you.
Olga
Am Sa, den 31.07.2004 schrieb Olga um 20:26:
I got this message in the logwatch sent to root:
Client quit before communicating: 222.183.141.253 : 1 Time(s)
**Unmatched Entries** [222.183.141.253]: possible SMTP attack: command=AUTH, count=6: 1 Time(s)
What does it mean? How can I protect my server against SMTP attacks?
Olga
It means someone from host 222.183.141.253 - which not has to be the starting point but a transfer point of the "attack", means a hacked host from which the hacker acts hiding his own personal station - tried to SMTP AUTH against your Sendmail and failed. He did 6 tries. It might be harmless if it was one of your users who forgot his username/password combination. Grep your maillog to see more details.
What to do against it? Not much, unfortunately. Be sure your users only use secure passwords, not trivial dictionary things. If you encounter such attacks more often you might setup an automatic log observing tool like swatch which instantly warns you i.e. by mail if someone starts trying to hack. Or you automatically block the attacking host using iptables. This could be done too in combination with a tool like swatch or by an own script run by cron every few minutes.
Alexander
Olga wrote:
Hi,
I got this message in the logwatch sent to root:
Client quit before communicating: 222.183.141.253 : 1 Time(s)
**Unmatched Entries** [222.183.141.253]: possible SMTP attack: command=AUTH, count=6: 1 Time(s)
What does it mean? How can I protect my server against SMTP attacks?
Thank you.
Olga
Besides firewalling this IP, nothing much..... Dont know what kind of attack is it , but maybe limiting AUTH to secure channels can stop it (if the attacker dont have tools that support TLS). In postfix you have the option to only allow the use of the AUTH command if TLS is being used. Dont know if sendmail can do the same thing though... The only downside (which isnt in fact a downside) is that your users will have to use TLS , but this way you gain in terms of security... They'll have a bit of headache if your certificates are self-signed , but that's easy to overcome that...
-- Pedro Macedo
Am Sa, den 31.07.2004 schrieb Pedro Fernandes Macedo um 20:59:
Besides firewalling this IP, nothing much..... Dont know what kind of attack is it , but maybe limiting AUTH to secure channels can stop it (if the attacker dont have tools that support TLS). In postfix you have the option to only allow the use of the AUTH command if TLS is being used. Dont know if sendmail can do the same thing though...
Of course Sendmail can be configured the same way. The sendmail.mc coming with Fedora is already prepared so that this setting can easily be activated.
The only downside (which isnt in fact a downside) is that your users will have to use TLS , but this way you gain in terms of security... They'll have a bit of headache if your certificates are self-signed , but that's easy to overcome that...
You just have to give the users your cacert file to let it be imported as a valid and trusted CA.
Saying that, it will not stop stupid or even cleverer SMTP AUTH attacks.
Pedro Macedo
Alexander