Mail server log shows excessive failed logins from IP address in China
Posted on 2006-05-24
Hi. So I got to work this morning and received an email message from GoDaddy, notifying me that my server had exceeded its maximum number of 1000 SMTP relays yesterday. I checked my var/log/messages log and noticed that a huge number of attempts to authenticate had been made yesterday by an IP address in China. The following entry:
May 23 17:36:49 outdoorweb sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=22.214.171.124 user=root
was listed many, many times. This started at 17:35 and occured every 1 to 5 seconds and lasted till about 17:42.
All of my maillog files were completely empty.
I don't know where to find the SMTP log on a Linux Redhat Fedora server. Can anyone tell me where to look?
My first thought was that one of my website clients has a virus on their computer and it's going crazy sending messages. That's why I was hoping to be able to find an SMTP log showing who was sending messages and at one time. But then with the weird thing going on with the IP address in China...
Any advice would be greatly appreciated.