Am Sa, den 31.07.2004 schrieb Olga um 20:26: > I got this message in the logwatch sent to root: > Client quit before communicating: > 222.183.141.253 : 1 Time(s) > > **Unmatched Entries** > [222.183.141.253]: possible SMTP attack: command=AUTH, count=6: 1 Time(s) > What does it mean? How can I protect my server against SMTP attacks? > Olga It means someone from host 222.183.141.253 - which not has to be the starting point but a transfer point of the "attack", means a hacked host from which the hacker acts hiding his own personal station - tried to SMTP AUTH against your Sendmail and failed. He did 6 tries. It might be harmless if it was one of your users who forgot his username/password combination. Grep your maillog to see more details. What to do against it? Not much, unfortunately. Be sure your users only use secure passwords, not trivial dictionary things. If you encounter such attacks more often you might setup an automatic log observing tool like swatch which instantly warns you i.e. by mail if someone starts trying to hack. Or you automatically block the attacking host using iptables. This could be done too in combination with a tool like swatch or by an own script run by cron every few minutes. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp Serendipity 20:44:35 up 2:09, 8 users, 0.32, 0.31, 0.32
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
