Can anyone suggest a way to lower my log file explosion? I'm getting 1000's of these in my log files. Literally, I got 116,352 mail server log entries night before last:
[code]This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).
System Events
=-=-=-=-=-=-=
Sep 3 14:03:07 dunn0 postfix/smtpd[31203]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:07 dunn0 postfix/smtpd[31200]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:07 dunn0 postfix/smtpd[31207]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:07 dunn0 postfix/smtpd[31218]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:08 dunn0 saslauthd[2511]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:08 dunn0 saslauthd[2510]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:08 dunn0 postfix/smtpd[31209]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 saslauthd[2271]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:09 dunn0 saslauthd[2513]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:09 dunn0 saslauthd[2512]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:09 dunn0 postfix/smtpd[31214]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 postfix/smtpd[31217]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 postfix/smtpd[31213]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 postfix/smtpd[31208]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 postfix/smtpd[31211]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:10 dunn0 saslauthd[2511]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:10 dunn0 saslauthd[2510]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:10 dunn0 saslauthd[2271]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:10 dunn0 postfix/smtpd[31207]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:10 dunn0 postfix/smtpd[31218]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:10 dunn0 postfix/smtpd[31214]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:10 dunn0 postfix/smtpd[31216]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:10 dunn0 postfix/smtpd[31215]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:10 dunn0 postfix/smtpd[31206]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:11 dunn0 saslauthd[2513]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:11 dunn0 saslauthd[2511]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 saslauthd[2510]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 saslauthd[2271]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 saslauthd[2512]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:11 dunn0 saslauthd[2513]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 saslauthd[2512]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 postfix/smtpd[31208]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:11 dunn0 postfix/smtpd[31211]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:11 dunn0 postfix/smtpd[31212]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:11 dunn0 postfix/smtpd[31200]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145[/code]
Howdy,
Well, that's a fairly normal message... however, are you saying that all the messages are from that same IP address?
If so, you could always block that IP.
One way to do that is to block it via a firewall.
Or, you can do it from the Linux command line by blocking the route to that host like the following:
route add -host x.x.x.x rejectWhere "x.x.x.x" is the IP address you wish to block.
-Eric
Hi jimdunn
I was also receive thousands of messages like this until I installed and configures fail2ban. it took a bit of time to tweak it but once I got it right it banns lots of this sort of thing.
If you are on a Ubuntu system you can install fail2ban with
apt-get install fail2banTo find out more about fail2ban you can go to
http://www.fail2ban.org/wiki/index.php/Main_Page
Allan,
Did you happen to write any notes, or a howto, or a faq... with the list of "tweaks"???
Hi jimdunn
The short answer is no.
However I have been meaning to so I will but it will take me a week or to to get around to it. In the mean time there are quite a few around the internet. and to get you started
3 Open 'jail.local' and edit 'ignoreip =' to include your localhost IP and any internal network IP's you don't want to get banned.
When you have it running read the jail.local file it provides lots of info Also feel free to ask here and I will try to help with as many questions as I can but I am no expert I am learning myself.
CSF/LFD (the alternative to fail2ban) has pre-configured rules to block dictionary attacks on Postfix and Dovecot (among lots of other things).
Hey AllanIT,
Thanks for all the fail2ban info; since we last spoke, Locutas turned me on to CSF/LFD... and WOW is it ever!!!
(quick HOWTO for CSF/LFD FIREWALL install)
# apt-get install libgd-graph-perl
# mkdir /root/work/firewall
# cd /root/work/firewall
# rm -f csf.tgz
# wget http://www.configserver.com/free/csf.tgz
# tar -xvzf csf.tgz
# cd csf
# sh install.sh
# perl /usr/local/csf/bin/csftest.pl
# sh /usr/local/csf/bin/remove_apf_bfd.sh
Webmin -> Webmin -> Webmin Configuration -> Webmin Modules
[x] From local file
/usr/local/csf/csfwebmin.tgz
Install Module
# less /etc/csf/readme.txt
# vim /etc/csf/csf.conf
NOTE: DO NOT TURN TESTING MODE OFF AND RESTART CSF UNTIL YOU HAVE ADD YOUR LOCALHOST IP AND YOUR REMOTE IP TO csf.allow OR YOU'LL GET LOCKED OUT FOR 3600 SECONDS... IN MY CASE, I NEEDED TO ADD THE VMWARE HOSTONLY GATEWAY...
Webmin -> System -> ConfigServer Security & Firewall -> Quick Allow
or
Webmin -> System -> ConfigServer Security & Firewall -> Firewall Allow IPs
(forgot to say that CSF has a WEBMIN MODULE!!! : )