Help Needed With Message Log After DOS Attack

sharingsunshine
sharingsunshine used Ask the Experts™
on
I had an attack on my site last night and I was looking in /varlog/messages and I see these entries happening every second

Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=mara] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=amanda] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=amanda] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:32 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=recepcion] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:32 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=recepcion] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:50 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=indiana] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:50 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=indiana] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:55:09 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=library] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:55:13 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=seattle] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:55:13 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=seattle] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]

Open in new window


How can I stop this person from continually trying to break-in?  Also, since the IP is private does that mean they are already in?  

Thanks,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Richie KnightSenior Network Analyst

Commented:
It would appear to be on your local network. Do you have access to or know what 172.31.22.236 is?

Author

Commented:
I am on an Amazon instance and it is listed as private ip and private dns
Richie KnightSenior Network Analyst

Commented:
Is this the local IP of your mailserver? If not, you could try locking down access to port 25.
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Did you want to just block the one IP?

iptables -A INPUT -s 172.31.22.236 -j DROP


You could also block repeated, frequent attempts from the same IP address.  
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP

Author

Commented:
I can't block that ip because it is my private ip address.  Firstly, I was trying to understand what did the log entry mean.  Secondly, how do I stop them from trying to break in?

Or, is there some way to know their actual ip?

About your code I am confused I thought if I used this code for the offending ip iptables -A INPUT -s 172.31.22.236 -j DROP it was permanent?

So how would I use this code?
You could also block repeated, frequent attempts from the same IP address.  
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP

Open in new window

Do you have a mail client that's using your system as a relay to get to the server?  Check the logs on your system to see if you can find something coming through your system to go to the server.

Author

Commented:
I use outlook as a mail client but I use gmail as my mail server.  I wondered the same thing and checked my cable modem to see if it had been compromised.  Best I can tell it hadn't.  I didn't have the default password so it wouldn't be easy to break in.

I am not sure which logs will tell me what you are asking.  I do check the logs so please tell me which one would let me know.
Check the logs on your system with IP 172.31.22.236.
that ip is my internal ip and there seems to be no cross reference between who is using that internal ip.  Digging deeper I found the marauders looking at maillog and I have implemented Fail2Ban to stop them.

I appreciate your attempts to answer my question.

Author

Commented:
other answers never answered my question

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial