possible SMTP attack
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Sat Jul 31 18:52:07 UTC 2004
Am Sa, den 31.07.2004 schrieb Olga um 20:26:
> I got this message in the logwatch sent to root:
> Client quit before communicating:
> 222.183.141.253 : 1 Time(s)
>
> **Unmatched Entries**
> [222.183.141.253]: possible SMTP attack: command=AUTH, count=6: 1 Time(s)
> What does it mean? How can I protect my server against SMTP attacks?
> Olga
It means someone from host 222.183.141.253 - which not has to be the
starting point but a transfer point of the "attack", means a hacked host
from which the hacker acts hiding his own personal station - tried to
SMTP AUTH against your Sendmail and failed. He did 6 tries. It might be
harmless if it was one of your users who forgot his username/password
combination. Grep your maillog to see more details.
What to do against it? Not much, unfortunately. Be sure your users only
use secure passwords, not trivial dictionary things. If you encounter
such attacks more often you might setup an automatic log observing tool
like swatch which instantly warns you i.e. by mail if someone starts
trying to hack. Or you automatically block the attacking host using
iptables. This could be done too in combination with a tool like swatch
or by an own script run by cron every few minutes.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp
Serendipity 20:44:35 up 2:09, 8 users, 0.32, 0.31, 0.32
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040731/56046e1a/attachment-0002.bin
More information about the users
mailing list