We use SASLAUTHD for SMTP authentication with sendmail. saslauthd failures log to /var/log/messages, but don't include the IP:
---
08:12:41 XXXX saslauthd[3686]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
---
But this corresponds to the following entry in /var/log/maillog:
---
May 8 08:12:41 XXXX sendmail[23216]: q48CCUdi023216: a.b.c [1.2.3.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
---
Would it be safe to block on the above maillog entry similar to a POP/IMAP block with a custom regex? Anyone have a quick regex for the above? Any drawbacks to blocking on this type of entry?
Thanks.
Rob
saslauthd dictionary attack on sendmail
Re: saslauthd dictionary attack on sendmail
I used a regex to look for multiple "did not issue MAIL/EXPN/VRFY/ETRN" when I used to use fail2ban. It works very well for sendmail where the IP address isn't recorded by saslauthd (See bugzilla.redhat .com/show_bug.cgi?id=683797, comments.gmane .org/gmane.comp.security.cyrus.sasl/7027).
I've done this, which is not quite SMTP authentication failure logging but should be close enough:
Add to regex.custom.pm:
but it doesn't seem to do anything
I've checked the regexp (copied from regex.pm and modified) and it seems to match the lines OK.
which looks like it should work, but nothing seems to happen
I've done this, which is not quite SMTP authentication failure logging but should be close enough:
Add to regex.custom.pm:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sendmail\[\d+\]: (\S+): \[(\d+\.\d+\.\d+\.\d+)] did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to MTA$/)) {
return ("Unused SMTP connection from",$4,"smtpunused","5","25,587","60");
}
I've checked the regexp (copied from regex.pm and modified) and it seems to match the lines OK.
which looks like it should work, but nothing seems to happen
Re: saslauthd dictionary attack on sendmail
Actually, it is working (it was my testing method that was suspect, it seems).
I've increased the block time to an hour now:
I've increased the block time to an hour now:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sendmail\[\d+\]: (\S+): \[(\d+\.\d+\.\d+\.\d+)] did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to MTA$/)) {
return ("Unused SMTP connection from",$4,"smtpunused","5","25,587","3600");
}
Re: saslauthd dictionary attack on sendmail
This regex works great, thanks for posting it!
But can anyone tell me how to disable the mail alerts this produces for each hit?
But can anyone tell me how to disable the mail alerts this produces for each hit?
Re: saslauthd dictionary attack on sendmail
I think this is controlled by:
in /etc/csf/csf.conf
Code: Select all
LF_EMAIL_ALERT = "0"
Re: saslauthd dictionary attack on sendmail
Thank you so much, it worked perfect!
Re: saslauthd dictionary attack on sendmail
There are several slighlty different entries generated in maillog for the sendmail saslauthd authentication failures.
This expression added to regex.custom.pm will quickly catch them.. It will work with or without a match on (may be forged), MTA, MSA. and a host.domain in front of the IP address.
Adjust the trigger level and number of seconds to suit your setup, and don't forget to add a CUSTOMx_LOG to csf.conf.
Kudos to this site https://regex101.com/r/Mmzr0A/2 which helped me test the expression.
This expression added to regex.custom.pm will quickly catch them.. It will work with or without a match on (may be forged), MTA, MSA. and a host.domain in front of the IP address.
Code: Select all
#mysmtpunused
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+) ?sendmail\[\d+\]: (\S+): (\S+) \[(\d+\.\d+\.\d+\.\d+)] ?(\(may be forged\))? did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to M(?:TA|SA)$/)) {
return ("Unused SMTP connection from",$5,"mysmtpunused","3","25,587","3600");
}
Kudos to this site https://regex101.com/r/Mmzr0A/2 which helped me test the expression.