saslauthd dictionary attack on sendmail

Post Reply
robfico
Junior Member
Posts: 4
Joined: 09 May 2012, 01:40

saslauthd dictionary attack on sendmail

Post by robfico »

We use SASLAUTHD for SMTP authentication with sendmail. saslauthd failures log to /var/log/messages, but don't include the IP:
---
08:12:41 XXXX saslauthd[3686]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
---

But this corresponds to the following entry in /var/log/maillog:
---
May 8 08:12:41 XXXX sendmail[23216]: q48CCUdi023216: a.b.c [1.2.3.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
---

Would it be safe to block on the above maillog entry similar to a POP/IMAP block with a custom regex? Anyone have a quick regex for the above? Any drawbacks to blocking on this type of entry?

Thanks.

Rob
Fonant
Junior Member
Posts: 3
Joined: 08 Oct 2012, 13:59

Re: saslauthd dictionary attack on sendmail

Post by Fonant »

I used a regex to look for multiple "did not issue MAIL/EXPN/VRFY/ETRN" when I used to use fail2ban. It works very well for sendmail where the IP address isn't recorded by saslauthd (See bugzilla.redhat .com/show_bug.cgi?id=683797, comments.gmane .org/gmane.comp.security.cyrus.sasl/7027).

I've done this, which is not quite SMTP authentication failure logging but should be close enough:

Add to regex.custom.pm:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sendmail\[\d+\]: (\S+): \[(\d+\.\d+\.\d+\.\d+)] did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to MTA$/)) {
   return ("Unused SMTP connection from",$4,"smtpunused","5","25,587","60");
}
but it doesn't seem to do anything :(

I've checked the regexp (copied from regex.pm and modified) and it seems to match the lines OK.
which looks like it should work, but nothing seems to happen :(
Fonant
Junior Member
Posts: 3
Joined: 08 Oct 2012, 13:59

Re: saslauthd dictionary attack on sendmail

Post by Fonant »

Actually, it is working (it was my testing method that was suspect, it seems).

I've increased the block time to an hour now:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sendmail\[\d+\]: (\S+): \[(\d+\.\d+\.\d+\.\d+)] did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to MTA$/)) {
   return ("Unused SMTP connection from",$4,"smtpunused","5","25,587","3600");
}
hanzzon
Junior Member
Posts: 10
Joined: 07 Mar 2012, 20:31

Re: saslauthd dictionary attack on sendmail

Post by hanzzon »

This regex works great, thanks for posting it!
But can anyone tell me how to disable the mail alerts this produces for each hit?
Fonant
Junior Member
Posts: 3
Joined: 08 Oct 2012, 13:59

Re: saslauthd dictionary attack on sendmail

Post by Fonant »

I think this is controlled by:

Code: Select all

LF_EMAIL_ALERT = "0"
in /etc/csf/csf.conf
hanzzon
Junior Member
Posts: 10
Joined: 07 Mar 2012, 20:31

Re: saslauthd dictionary attack on sendmail

Post by hanzzon »

Thank you so much, it worked perfect! :)
WildStar
Junior Member
Posts: 2
Joined: 12 Oct 2013, 17:13

Re: saslauthd dictionary attack on sendmail

Post by WildStar »

There are several slighlty different entries generated in maillog for the sendmail saslauthd authentication failures.

This expression added to regex.custom.pm will quickly catch them.. It will work with or without a match on (may be forged), MTA, MSA. and a host.domain in front of the IP address.

Code: Select all

#mysmtpunused
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+) ?sendmail\[\d+\]: (\S+): (\S+) \[(\d+\.\d+\.\d+\.\d+)] ?(\(may be forged\))? did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to M(?:TA|SA)$/)) {
        return ("Unused SMTP connection from",$5,"mysmtpunused","3","25,587","3600");
}
Adjust the trigger level and number of seconds to suit your setup, and don't forget to add a CUSTOMx_LOG to csf.conf.
Kudos to this site https://regex101.com/r/Mmzr0A/2 which helped me test the expression.
Post Reply