System: Centos 5.5 with Webmin/Virtualmin GPL (latest version)
Since yesterday I had some sort of attack to my server.
I’m receiving logwatch email every 24h and usually it is up to 1Mb file, yesterday’s email was 16MB in size! Today it is 21MB! Majority of the entries are brute force tries like this:
--------------------- sasl auth daemon Begin ------------------------
Unmatched Entries
pam_succeed_if(smtp:auth): error retrieving information about user 123456
pam_unix(smtp:auth): check pass; user unknown
pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
pam_succeed_if(smtp:auth): error retrieving information about user test
pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
pam_unix(smtp:auth): check pass; user unknown
pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
pam_succeed_if(smtp:auth): error retrieving information about user test
pam_unix(smtp:auth): check pass; user unknown
Using names “test”, “company”, 123, 1234, 123456, etc…
Is there a way to prevent the system from this attack? How dabgerous is it? Is there a script that will block IP after certain tries?