Brute force. SASL LOGIN authentication failed: authentication failure

jvr968 · February 18, 2021, 5:11pm

Hello,
I checked my /var/log/maillog
There are some ips that are trying to a do a SASL LOGIN authentication all the time.
I think it is called brute force attack.

Feb 18 17:29:10 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:29:20 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:29:21 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:29:34 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:29:44 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:29:45 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]
Feb 18 17:29:58 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:30:08 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:30:09 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:30:22 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:30:23 hostname postfix/smtpd[22879]: warning: hostname net6-ip210.linkbg.com does not resolve to address 87.246.7.210: Name or service not known
Feb 18 17:30:23 hostname postfix/smtpd[22879]: connect from unknown[87.246.7.210]
Feb 18 17:30:31 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:30:33 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]
Feb 18 17:30:45 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:30:49 hostname postfix/smtpd[22879]: lost connection after AUTH from unknown[87.246.7.210]
Feb 18 17:30:49 hostname postfix/smtpd[22879]: disconnect from unknown[87.246.7.210]
Feb 18 17:30:55 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:30:56 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:31:09 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:31:18 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:31:18 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]
Feb 18 17:31:33 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:31:42 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:31:44 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:31:57 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:32:07 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:32:07 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]
Feb 18 17:32:20 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:32:30 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:32:31 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:32:43 hostname postfix/smtpd[25098]: warning: hostname net6-ip210.linkbg.com does not resolve to address 87.246.7.210: Name or service not known
Feb 18 17:32:43 hostname postfix/smtpd[25098]: connect from unknown[87.246.7.210]
Feb 18 17:32:44 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:32:54 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:32:55 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]
Feb 18 17:33:08 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:33:18 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:33:19 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:33:23 hostname postfix/smtpd[25098]: warning: unknown[87.246.7.210]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:33:28 hostname postfix/smtpd[25098]: lost connection after AUTH from unknown[87.246.7.210]
Feb 18 17:33:28 hostname postfix/smtpd[25098]: disconnect from unknown[87.246.7.210]
Feb 18 17:33:32 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:33:41 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:33:42 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]
Feb 18 17:33:55 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:34:05 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:34:06 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:34:19 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:34:29 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:34:30 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]
Feb 18 17:34:43 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:34:53 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:34:54 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:35:03 hostname postfix/smtpd[25098]: warning: hostname net6-ip210.linkbg.com does not resolve to address 87.246.7.210: Name or service not known
Feb 18 17:35:03 hostname postfix/smtpd[25098]: connect from unknown[87.246.7.210]
Feb 18 17:35:07 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:35:17 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:35:17 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]
Feb 18 17:35:30 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:35:40 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:35:41 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:35:43 hostname postfix/smtpd[25098]: warning: unknown[87.246.7.210]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:35:48 hostname postfix/smtpd[25098]: lost connection after AUTH from unknown[87.246.7.210]
Feb 18 17:35:48 hostname postfix/smtpd[25098]: disconnect from unknown[87.246.7.210]
Feb 18 17:35:54 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:36:04 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:36:05 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]
Feb 18 17:36:18 hostname postfix/smtpd[12470]: connect from unknown[212.70.149.54]
Feb 18 17:36:27 hostname postfix/smtpd[12470]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:36:29 hostname postfix/smtpd[12470]: disconnect from unknown[212.70.149.54]
Feb 18 17:36:42 hostname postfix/smtpd[18245]: connect from unknown[212.70.149.54]
Feb 18 17:36:51 hostname postfix/smtpd[18245]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Feb 18 17:36:52 hostname postfix/smtpd[18245]: disconnect from unknown[212.70.149.54]

How can avoid this login attempts?
Thank you.
Regards.

Operating system: CentOS
OS version: CentOS7-2009

tpnsolutions · February 18, 2021, 5:37pm

@jvr968,

First off, you can’t completely “avoid” login attempts as you’d need to know who was gonna try a malicious attempt.

Next, make sure you have “Fail2Ban” configured correctly. Fail2Ban is an intelligent “Intrusion Detection System” which works in conjunction with your Firewall. When it detects suspicious activity it will temporarily (how long can be configured) block traffic from that source.

Next, monitor what is being blocked. If you notice a “frequent” block being issued, investigate it. Find out if it’s from a legit user who’s just having problems, or a malicious user. Often times malicious attacks originate from IP addresses owned by foreign countries you likely don’t have as users like Russia or China.

If you find a malicious user constantly attempting to break-in, you can add a permanent Firewall rule to block that IP address or even a subnet if the issue is severe.

As noted above, Fail2Ban can be configured to block for a period of time of your choosing. The default is typically around 10 minutes, but if you find this isn’t sufficient you can adjust accordingly.

Also as noted above, make sure you have Fail2Ban rules setup, and configured correctly, otherwise it won’t be analyzing that traffic and taking measures to protect you.

If you’d like assistance setting any of this up, and want to learn how to manage this yourself, feel free to PM me and we can setup a screen sharing session to go over.

*** this would be a “paid” session, but my rates are fair, affordable, and past users would agree that it’s worth every penny. ***

Best Regards,
Peter Knowles | TPN Solutions

Need Professional, Affordable Assistance? Request Help at https://tpnassist.com

Joe · February 18, 2021, 5:58pm

Check the fail2ban log to be sure it’s actually working…I’m pretty sure our default config blocks SASL auth on repeated failures.

jvr968 · February 18, 2021, 8:57pm

I forgot to mention.
I already tried to install fail2ban

Downloading fail2ban.wbm.gz (263 bytes) …
Downloading https://www.webmin.com/download/modules/fail2ban.wbm.gz (244 bytes) …
Downloading https://download.webmin.com/download/modules/fail2ban.wbm.gz (164.17 KiB) …
Received 1 KiB (0 %)
Received 17 KiB (10 %)
Received 33 KiB (20 %)
Received 50 KiB (30 %)
Received 66 KiB (40 %)
Received 83 KiB (50 %)
Received 99 KiB (60 %)
Received 115 KiB (70 %)
Received 132 KiB (80 %)
Received 148 KiB (90 %)
Received 164.17 KiB (100 %)
… download complete.
Failed to install standard module : Module fail2ban requires Webmin version 1.970 or above

My version actual:

webmin.noarch 1.962-1 @virtualmin-universal

There are no new updates virtulamin updates right no via yum
I will install it.

I bet there is a way to block a usual attacker’s ips with black list?
Regards.

Joe · February 18, 2021, 9:02pm

I didn’t say anything about the fail2ban Webmin module. It’s built into Webmin. You don’t need/want to add it. But,

I am talking about fail2ban, the system package…and, if you installed Virtualmin using the non-minimal mode using our install script, you already have it and it should already be configured appropriately and there will be a fail2ban log.

jvr968 · February 19, 2021, 12:04am

Hello,
I used GPL install script
wget http://software.virtualmin.com/gpl/scripts/install.sh

I do not have fail2ban installed in the system.

[root@hostname public_html]# yum list fail2ban
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile

base: centos.mirror.fr.planethoster.net
centos-sclo-rh: centos.mirrors.proxad.net
centos-sclo-sclo: mirrors.atosworldline.com
epel: mirror.nl.leaseweb.net
extras: centos.mirrors.proxad.net
remi-php74: remi.mirror.ate.info
remi-safe: remi.mirror.ate.info
updates: centos.mirrors.proxad.net
Available Packages
fail2ban.noarch 0.11.1-10.el7 epel

I installed it and I can’t find any fail2ban log at Logs and Reports
Regards

calport · February 19, 2021, 2:55am

Is there indeed a way to block a usual attacker’s ips with black list? I too would like to get hold of such a list, let me know when you find one.

Edit: this was my attempt at humor
There is no silver bullet, no list of IP addresses which we can block to keep away the bad boys from our servers.

@jvr968 heed the expert advice which you have already received. You need to tell us now if you have done a full install of Virtualmin or a minimal install. Those who do a full install need do nothing more - fail2ban is installed and configured with sensible defaults out of the box when a full install of Virtualmin is done.

unborn · February 19, 2021, 11:07am

I would agree with @Joe and @tpnsolutions - I know guys for many years - if not almost decade eh - @tpnsolutions aka Peter does possessed knowhow about centos like I do about debian and regards @Joe - he is virtualmin team - you cannot go wrong with him and them.

@calport - ah your usual advice is helpless and not at all very informative - I would let you know what he find out - same as anyone else - fail2ban 99.9% works. - I think you just spamming this forum for google searches for your business which I could be wrong but I’ve seen only 3 genuine help replies from you - rest was utterly rubbish, some of those was dangerous - can you be a bit cleaner in forums? stay away - same as me - if you don’t know answer - please, you know, bad advice = dead at least for me and others… keep virtualmin community healthy for everyone! - THANKS

calport · February 19, 2021, 12:15pm

I will strive to improve the quality and quantity of my contributions to the community, @unborn, of which you have been a member much longer than I. Of course I rely upon Google and if you feel any of my messages are spammy then let me know and I would be happy to delete them, or you could flag them for moderation by the admins. I join you in our common goal to contribute to the Virtualmin community.

WRT @jvr968 issue with fail2ban, it may be a little more involved than your assessment of it working 99.9%, so let’s wait and watch…

paulM · February 22, 2021, 6:16am

I’m using fail2ban and one of the options now is to automatically increase the ban time for repeat offenders. In the last few months the number of attacks has dwindled from thousands per hour to dozens per day. It does take time to setup and it takes time to monitor while you are looking for the best filters. Using the auto-increase options for the latest fail2ban means you do not have to use blacklists.

unborn · February 22, 2021, 8:37am

Hey keep doing that, you’re on good path. Just test you ‘solutions’ before…

unborn · February 22, 2021, 8:42am

@paulM yes with fail2ban you would become your own black list provider, but that would come with cost of ram a bit but not much, and learning curve… Not so steap. My bans are usually no less then 3 years, simple to explain is once they realise they change then you would have to dissmis them and new script kiddies use old techniques and old ips as those are shared online, so, let them have it in your own way

edit: here is an example how you can block even nasty bits from indexing your site and eating your bandwidth edit 2: I removed link to that blog post as I was recently removing wordpress and decided some posts to not be moved to new platform…

jvr968 · February 25, 2021, 5:32pm

I’ve written this:
I used GPL install script
wget http://software.virtualmin.com/gpl/scripts/install.sh

And I don’t use --minimal option in the installation process
I just execute install.sh and I just do default installation
Regards

calport · February 26, 2021, 3:21am

Then fail2ban is guaranteed installed on your system and with sensible default already in place for blocking brute force attacks to all the commonly used services. In a nutshell, you need to do nothing more, you are already protected against brute force attacks by fail2ban.

Having said that, let’s try and find out why 212.70.149.54 was not being blocked by fail2ban on your system…

This would be via Webmin → System → System Logs, thus:

On one of my systems, when I check status of my fail2ban service with:
sudo fail2ban-client status

I see:
Status
|- Number of jail:6
- Jail list:dovecot, postfix, postfix-sasl, recidive, sshd, webmin-auth

And when I check status of postfix-sasl jail with:
sudo fail2ban-client status postfix-sasl

I see:
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed:6
| |- Total failed:35121
| - File list:/var/log/mail.warn ``- Actions
|- Currently banned:9
|- Total banned:3533
- Banned IP list:91.243.45.40 87.246.7.243 196.196.116.85 141.98.80.134
78.128.113.130 210.245.12.98 185.24.233.33 14.248.74.226 5.188.206.235

Also, I find the following quite useful to quickly detect brute force attacks on Postfix:
grep -w "connect from" /var/log/mail.log | awk -F"[" '{print$3}' | awk -F"]" '{print$1}' |sort -n |uniq -c |sort -nr | head -25

The output I see:
7349 78.136.44.6
7349 50.56.142.173
7348 50.57.61.23
455 122.176.30.6
435 54.39.237.138
341 193.56.29.45
307 78.128.113.130
.
.
.

With fail2ban actively banning and unbanning IPs, I get a maximum of 500 failed logins from a typical IP address used by bad actors to brute force attack my system, which is fine by me - they will need to keep at it for decades and centuries to carry out a successful brute force attack at this rate of their progress. Oh, the first three IPs with the very high number of failed attempts - that’s from an external service uptime monitoring system that I use, so I don’t worry about those.

Hope this helps you determine the status and efficiency of performance of fail2ban on your system, @jvr968.

RJM_Web_Design · February 26, 2021, 1:52pm

Indeed. I maintain ephemeral blocklists of malicious IP addresses. But they’ve become less useful over time as many of the more persistent miscreants seem to have figured out which servers are doing the reporting and tend to avoid them. That’s good for those servers, but not so much for purposes of gathering data.

Richard

system · April 27, 2021, 1:53pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.