Suspicious entries in /var/log/messages

Submitted by lewisjenkins on Tue, 07/12/2011 - 17:02

I have noticed lots of these entries in /var/log/messages today - there are hundreds of them. Is this some sort of brute force attack on my smtp server, and should I be concerned?

Jul 12 22:39:41 ns3 saslauthd[3135]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Jul 12 22:39:45 ns3 saslauthd[3133]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Jul 12 22:39:49 ns3 saslauthd[3136]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Jul 12 22:39:55 ns3 saslauthd[3133]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Jul 12 22:40:03 ns3 saslauthd[3136]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Jul 12 22:40:11 ns3 saslauthd[3135]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Jul 12 22:40:18 ns3 saslauthd[3136]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Jul 12 22:40:25 ns3 saslauthd[3135]: do_auth : auth failure: [user=123456] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Status: 
Active

Comments

Submitted by andreychek on Tue, 07/12/2011 - 17:14

Howdy -- those appear to be automated tests of accounts on your server. They're trying to login as the username "123456".

I wouldn't actually be too concerned about that though -- just having a server on the Internet means bots will be trying to break into your server.

I'd simply recommend not having easily guessable usernames and passwords. In the above case, you may want to verify that you don't have a username "123456" -- or if you do, that it has a good password.

To prevent bot attacks from being successful, I'd also recommend making sure the system updates on your server are current.

Submitted by lewisjenkins on Tue, 07/12/2011 - 17:20

Thanks for the reply. I suspected that this might be some knid of automated bot-like process at work. The time between attempts is very consistent and I notice that the usernames are changing every now and then, such as [111111], [888888], [12345], [123456]. I guess they go for the obvious ones.

I'm going to see if Postfix has any additional settings that can be of help, such as this one :

smtpd_client_connection_rate_limit (0)

Apparently this limits the maximal number of connection attempts any client is allowed to make to this service per time unit.