Brute force: pam_succeed_if(smtp:auth): error retrieving information about user 123456

System: Centos 5.5 with Webmin/Virtualmin GPL (latest version)

Since yesterday I had some sort of attack to my server.
I’m receiving logwatch email every 24h and usually it is up to 1Mb file, yesterday’s email was 16MB in size! Today it is 21MB! Majority of the entries are brute force tries like this:

--------------------- sasl auth daemon Begin ------------------------

Unmatched Entries

pam_succeed_if(smtp:auth): error retrieving information about user 123456
pam_unix(smtp:auth): check pass; user unknown
pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
pam_succeed_if(smtp:auth): error retrieving information about user test
pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
pam_unix(smtp:auth): check pass; user unknown
pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
pam_succeed_if(smtp:auth): error retrieving information about user test
pam_unix(smtp:auth): check pass; user unknown

Using names “test”, “company”, 123, 1234, 123456, etc…

Is there a way to prevent the system from this attack? How dabgerous is it? Is there a script that will block IP after certain tries?

Howdy,

There are bots that do nothing but scour the Internet all day and night, trying to guess easy usernames and passwords.

Personally, I’m not sure that I’d worry about it too much

If you’re system is up to date, and you don’t have simple username/password combinations on your user, they aren’t likely to break in.

However, there are tools along the lines of “denyhosts” that would block a given IP address after so many failed login attempts.

-Eric