Re: possible SMTP attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Sa, den 31.07.2004 schrieb Olga um 20:26:

> I got this message in the logwatch sent to root:

> Client quit before communicating:
>     222.183.141.253 : 1 Time(s)
> 
> **Unmatched Entries**
>    [222.183.141.253]: possible SMTP attack: command=AUTH, count=6: 1 Time(s)

> What does it mean? How can I protect my server against SMTP attacks?

> Olga

It means someone from host 222.183.141.253 - which not has to be the
starting point but a transfer point of the "attack", means a hacked host
from which the hacker acts hiding his own personal station - tried to
SMTP AUTH against your Sendmail and failed. He did 6 tries. It might be
harmless if it was one of your users who forgot his username/password
combination. Grep your maillog to see more details.

What to do against it? Not much, unfortunately. Be sure your users only
use secure passwords, not trivial dictionary things. If you encounter
such attacks more often you might setup an automatic log observing tool
like swatch which instantly warns you i.e. by mail if someone starts
trying to hack. Or you automatically block the attacking host using
iptables. This could be done too in combination with a tool like swatch
or by an own script run by cron every few minutes.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp 
Serendipity 20:44:35 up 2:09, 8 users, 0.32, 0.31, 0.32 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux