Bad Guy Problem

PaliGap · November 22, 2012, 12:31pm

I use OSSEC HIDS to block brute force password attacks - and very good it is too. But recently I have been seeing a lot of attacks in the logs that have no IP address. Like this:

Nov 22 11:09:26 myserver saslauthd[4074]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Nov 22 11:09:26 myserver saslauthd[4077]: do_auth : auth failure: [user=ruby] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Because no IP address is being logged I can’t create an OSSEC rule to block these.

Is there something I can do that will enable IP address logging for this kind of thing?

Locutus · November 22, 2012, 2:31pm

If there’s no IP address recorded, it was possibly a local authentication attempt. “user=ruby, service=smtp” sounds like it might be a web software on your machine that is trying a local login? Do you have anything in the Apache logs at that moment?

PaliGap · November 22, 2012, 3:02pm

I hope it’s NOT “web software trying a local login”!

I’ve had a look in Apache logs - cannot see anything there at all.

PaliGap · November 22, 2012, 3:05pm

Ah, but wait a minute… I do see this kind of thing that matches in /var/log/maillog

Nov 22 13:46:30 myserver postfix/smtpd[9645]: warning: unknown[66.64.x.xxx]: SASL LOGIN authentication failed: authentication failure

So I think all I need do is get OSSEC to pick up on those messages and I’ll have an IP address to block!

Locutus · November 22, 2012, 7:08pm

Yepp that’s right… Often you get several log entries, in different logs, for login (attempt) events, and the IP address is recorded in one or the other.