• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 69
  • Last Modified:

Help Needed With Message Log After DOS Attack

I had an attack on my site last night and I was looking in /varlog/messages and I see these entries happening every second

Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=mara] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=amanda] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=amanda] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:32 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=recepcion] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:32 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=recepcion] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:50 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=indiana] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:50 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=indiana] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:55:09 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=library] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:55:13 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=seattle] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:55:13 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=seattle] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]

Open in new window


How can I stop this person from continually trying to break-in?  Also, since the IP is private does that mean they are already in?  

Thanks,
0
sharingsunshine
Asked:
sharingsunshine
  • 5
  • 3
  • 2
1 Solution
 
Richie KnightSenior Network AnalystCommented:
It would appear to be on your local network. Do you have access to or know what 172.31.22.236 is?
0
 
sharingsunshineAuthor Commented:
I am on an Amazon instance and it is listed as private ip and private dns
0
 
Richie KnightSenior Network AnalystCommented:
Is this the local IP of your mailserver? If not, you could try locking down access to port 25.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
serialbandCommented:
Did you want to just block the one IP?

iptables -A INPUT -s 172.31.22.236 -j DROP


You could also block repeated, frequent attempts from the same IP address.  
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP
0
 
sharingsunshineAuthor Commented:
I can't block that ip because it is my private ip address.  Firstly, I was trying to understand what did the log entry mean.  Secondly, how do I stop them from trying to break in?

Or, is there some way to know their actual ip?

About your code I am confused I thought if I used this code for the offending ip iptables -A INPUT -s 172.31.22.236 -j DROP it was permanent?

So how would I use this code?
You could also block repeated, frequent attempts from the same IP address.  
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP

Open in new window

0
 
serialbandCommented:
Do you have a mail client that's using your system as a relay to get to the server?  Check the logs on your system to see if you can find something coming through your system to go to the server.
0
 
sharingsunshineAuthor Commented:
I use outlook as a mail client but I use gmail as my mail server.  I wondered the same thing and checked my cable modem to see if it had been compromised.  Best I can tell it hadn't.  I didn't have the default password so it wouldn't be easy to break in.

I am not sure which logs will tell me what you are asking.  I do check the logs so please tell me which one would let me know.
0
 
serialbandCommented:
Check the logs on your system with IP 172.31.22.236.
0
 
sharingsunshineAuthor Commented:
that ip is my internal ip and there seems to be no cross reference between who is using that internal ip.  Digging deeper I found the marauders looking at maillog and I have implemented Fail2Ban to stop them.

I appreciate your attempts to answer my question.
0
 
sharingsunshineAuthor Commented:
other answers never answered my question
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now