Help Needed With Message Log After DOS Attack

I had an attack on my site last night and I was looking in /varlog/messages and I see these entries happening every second

Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=mara] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:56 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=tigers] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:53:58 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=josie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:05 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=stephanie] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=amanda] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:11 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=amanda] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:32 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=recepcion] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:32 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=recepcion] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:50 ip-172-31-22-236 saslauthd[2711]:                 : auth failure: [user=indiana] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:54:50 ip-172-31-22-236 saslauthd[2715]:                 : auth failure: [user=indiana] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:55:09 ip-172-31-22-236 saslauthd[2713]:                 : auth failure: [user=library] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:55:13 ip-172-31-22-236 saslauthd[2716]:                 : auth failure: [user=seattle] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]
Feb 12 10:55:13 ip-172-31-22-236 saslauthd[2710]:                 : auth failure: [user=seattle] [service=smtp] [realm=seo.thefrugallife.com] [mech=pam] [reason=PAM auth error]

Open in new window


How can I stop this person from continually trying to break-in?  Also, since the IP is private does that mean they are already in?  

Thanks,
sharingsunshineAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Richie KnightSenior Network AnalystCommented:
It would appear to be on your local network. Do you have access to or know what 172.31.22.236 is?
0
sharingsunshineAuthor Commented:
I am on an Amazon instance and it is listed as private ip and private dns
0
Richie KnightSenior Network AnalystCommented:
Is this the local IP of your mailserver? If not, you could try locking down access to port 25.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

serialbandCommented:
Did you want to just block the one IP?

iptables -A INPUT -s 172.31.22.236 -j DROP


You could also block repeated, frequent attempts from the same IP address.  
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP
0
sharingsunshineAuthor Commented:
I can't block that ip because it is my private ip address.  Firstly, I was trying to understand what did the log entry mean.  Secondly, how do I stop them from trying to break in?

Or, is there some way to know their actual ip?

About your code I am confused I thought if I used this code for the offending ip iptables -A INPUT -s 172.31.22.236 -j DROP it was permanent?

So how would I use this code?
You could also block repeated, frequent attempts from the same IP address.  
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP

Open in new window

0
serialbandCommented:
Do you have a mail client that's using your system as a relay to get to the server?  Check the logs on your system to see if you can find something coming through your system to go to the server.
0
sharingsunshineAuthor Commented:
I use outlook as a mail client but I use gmail as my mail server.  I wondered the same thing and checked my cable modem to see if it had been compromised.  Best I can tell it hadn't.  I didn't have the default password so it wouldn't be easy to break in.

I am not sure which logs will tell me what you are asking.  I do check the logs so please tell me which one would let me know.
0
serialbandCommented:
Check the logs on your system with IP 172.31.22.236.
0
sharingsunshineAuthor Commented:
that ip is my internal ip and there seems to be no cross reference between who is using that internal ip.  Digging deeper I found the marauders looking at maillog and I have implemented Fail2Ban to stop them.

I appreciate your attempts to answer my question.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sharingsunshineAuthor Commented:
other answers never answered my question
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.