For about a year now, we are seeing an ever increasing auth failure in our log file and wonder if you could give us some hints on how to track this down to an IP address or somehow block it.
Dec 2 06:52:14 gto saslauthd[1311]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 06:52:18 gto saslauthd[1310]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 06:52:20 gto saslauthd[1310]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 06:52:20 gto saslauthd[1310]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 06:53:13 gto saslauthd[1312]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 06:53:15 gto saslauthd[1312]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 06:53:15 gto saslauthd[1312]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 06:59:45 gto saslauthd[1312]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 06:59:47 gto saslauthd[1312]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 06:59:47 gto saslauthd[1312]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 06:59:48 gto saslauthd[1315]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 06:59:50 gto saslauthd[1315]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 06:59:50 gto saslauthd[1315]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 07:12:06 gto saslauthd[1314]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 07:12:08 gto saslauthd[1314]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 07:12:08 gto saslauthd[1314]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 07:12:11 gto saslauthd[1315]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 07:12:13 gto saslauthd[1315]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 07:12:13 gto saslauthd[1315]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 07:13:03 gto saslauthd[1314]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 07:13:05 gto saslauthd[1314]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 07:13:05 gto saslauthd[1314]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 07:14:45 gto saslauthd[1315]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 07:14:47 gto saslauthd[1315]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 07:14:47 gto saslauthd[1315]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 07:14:48 gto saslauthd[1314]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 07:14:50 gto saslauthd[1314]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 07:14:50 gto saslauthd[1314]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 07:17:22 gto saslauthd[1315]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 07:17:24 gto saslauthd[1315]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Dec 2 07:17:24 gto saslauthd[1315]: do_auth : auth failure: [user=bob] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 2 07:17:29 gto saslauthd[1314]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Dec 2 07:17:31 gto saslauthd[1314]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Thanks for any advice you can give. Jeff
Comments
Submitted by andreychek on Sun, 12/02/2012 - 15:37 Comment #1
Howdy -- if the "rhost" listed there doesn't contain an IP address. you could match the timestamps seen in /var/log/auth.log to connect entries in /var/log/mail.log. The entries in /var/log/mail.log should contain an IP, which would allow you to block those IP addresses.