Page 1 of 1
saslauthd dictionary attack on sendmail
Posted: 09 May 2012, 01:45
by robfico
We use SASLAUTHD for SMTP authentication with sendmail. saslauthd failures log to /var/log/messages, but don't include the IP:
---
08:12:41 XXXX saslauthd[3686]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
---
But this corresponds to the following entry in /var/log/maillog:
---
May 8 08:12:41 XXXX sendmail[23216]: q48CCUdi023216: a.b.c [1.2.3.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
---
Would it be safe to block on the above maillog entry similar to a POP/IMAP block with a custom regex? Anyone have a quick regex for the above? Any drawbacks to blocking on this type of entry?
Thanks.
Rob
Re: saslauthd dictionary attack on sendmail
Posted: 10 May 2013, 13:12
by Fonant
I used a regex to look for multiple "did not issue MAIL/EXPN/VRFY/ETRN" when I used to use fail2ban. It works very well for sendmail where the IP address isn't recorded by saslauthd (See bugzilla.redhat .com/show_bug.cgi?id=683797, comments.gmane .org/gmane.comp.security.cyrus.sasl/7027).
I've done this, which is not quite SMTP authentication failure logging but should be close enough:
Add to regex.custom.pm:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sendmail\[\d+\]: (\S+): \[(\d+\.\d+\.\d+\.\d+)] did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to MTA$/)) {
return ("Unused SMTP connection from",$4,"smtpunused","5","25,587","60");
}
but it doesn't seem to do anything
I've checked the regexp (copied from regex.pm and modified) and it seems to match the lines OK.
which looks like it should work, but nothing seems to happen
Re: saslauthd dictionary attack on sendmail
Posted: 11 May 2013, 17:44
by Fonant
Actually, it
is working (it was my testing method that was suspect, it seems).
I've increased the block time to an hour now:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sendmail\[\d+\]: (\S+): \[(\d+\.\d+\.\d+\.\d+)] did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to MTA$/)) {
return ("Unused SMTP connection from",$4,"smtpunused","5","25,587","3600");
}
Re: saslauthd dictionary attack on sendmail
Posted: 04 Feb 2016, 11:48
by hanzzon
This regex works great, thanks for posting it!
But can anyone tell me how to disable the mail alerts this produces for each hit?
Re: saslauthd dictionary attack on sendmail
Posted: 04 Feb 2016, 12:24
by Fonant
I think this is controlled by:
in /etc/csf/csf.conf
Re: saslauthd dictionary attack on sendmail
Posted: 13 Feb 2016, 08:34
by hanzzon
Thank you so much, it worked perfect!
Re: saslauthd dictionary attack on sendmail
Posted: 24 Aug 2017, 00:56
by WildStar
There are several slighlty different entries generated in maillog for the sendmail saslauthd authentication failures.
This expression added to regex.custom.pm will quickly catch them.. It will work with or without a match on
(may be forged),
MTA,
MSA. and a
host.domain in front of the IP address.
Code: Select all
#mysmtpunused
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+) ?sendmail\[\d+\]: (\S+): (\S+) \[(\d+\.\d+\.\d+\.\d+)] ?(\(may be forged\))? did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to M(?:TA|SA)$/)) {
return ("Unused SMTP connection from",$5,"mysmtpunused","3","25,587","3600");
}
Adjust the trigger level and number of seconds to suit your setup, and don't forget to add a CUSTOMx_LOG to csf.conf.
Kudos to this site
https://regex101.com/r/Mmzr0A/2 which helped me test the expression.