log file explosion

Can anyone suggest a way to lower my log file explosion? I’m getting 1000’s of these in my log files. Literally, I got 116,352 mail server log entries night before last:

[code]This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

System Events
=-=-=-=-=-=-=
Sep 3 14:03:07 dunn0 postfix/smtpd[31203]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:07 dunn0 postfix/smtpd[31200]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:07 dunn0 postfix/smtpd[31207]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:07 dunn0 postfix/smtpd[31218]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:08 dunn0 saslauthd[2511]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:08 dunn0 saslauthd[2510]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:08 dunn0 postfix/smtpd[31209]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 saslauthd[2271]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:09 dunn0 saslauthd[2513]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:09 dunn0 saslauthd[2512]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:09 dunn0 postfix/smtpd[31214]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 postfix/smtpd[31217]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 postfix/smtpd[31213]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 postfix/smtpd[31208]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:09 dunn0 postfix/smtpd[31211]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:10 dunn0 saslauthd[2511]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:10 dunn0 saslauthd[2510]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:10 dunn0 saslauthd[2271]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:10 dunn0 postfix/smtpd[31207]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:10 dunn0 postfix/smtpd[31218]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:10 dunn0 postfix/smtpd[31214]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:10 dunn0 postfix/smtpd[31216]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:10 dunn0 postfix/smtpd[31215]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:10 dunn0 postfix/smtpd[31206]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:11 dunn0 saslauthd[2513]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:11 dunn0 saslauthd[2511]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 saslauthd[2510]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 saslauthd[2271]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 saslauthd[2512]: do_auth : auth failure: [user=spam] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Sep 3 14:03:11 dunn0 saslauthd[2513]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 saslauthd[2512]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 3 14:03:11 dunn0 postfix/smtpd[31208]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:11 dunn0 postfix/smtpd[31211]: warning: unknown[216.55.179.145]: SASL login authentication failed: authentication failure
Sep 3 14:03:11 dunn0 postfix/smtpd[31212]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145
Sep 3 14:03:11 dunn0 postfix/smtpd[31200]: warning: hostname 216-55-179-145.dedicated.codero.net does not resolve to address 216.55.179.145[/code]

Howdy,

Well, that’s a fairly normal message… however, are you saying that all the messages are from that same IP address?

If so, you could always block that IP.

One way to do that is to block it via a firewall.

Or, you can do it from the Linux command line by blocking the route to that host like the following:

route add -host x.x.x.x reject

Where “x.x.x.x” is the IP address you wish to block.

-Eric

Hi jimdunn

I was also receive thousands of messages like this until I installed and configures fail2ban. it took a bit of time to tweak it but once I got it right it banns lots of this sort of thing.

If you are on a Ubuntu system you can install fail2ban with

apt-get install fail2ban

To find out more about fail2ban you can go to

http://www.fail2ban.org/wiki/index.php/Main_Page

Allan,

Did you happen to write any notes, or a howto, or a faq… with the list of “tweaks”???

Hi jimdunn

The short answer is no.

However I have been meaning to so I will but it will take me a week or to to get around to it. In the mean time there are quite a few around the internet. and to get you started

  1. install fail2ban with apt-get install fail2ban.
  2. copy’ jail.conf" and save it to the same folder as ‘jail.local’ make all modification in jail.local not in jail.conf because jail.conf gets over written when there is an update.
    3 Open ‘jail.local’ and edit ‘ignoreip =’ to include your localhost IP and any internal network IP’s you don’t want to get banned.
  3. modify any of the jails below as you need, the names of the variables in the jails will give you an idea what they are about.
  4. If it does not exist create the file ‘/var/log/fail2ban.log’ and set the permissions to 0640. If the file does not exist fail2ban wont log anything.
  5. restart fail2ban and check the log. If fail2ban cannot start check which jail it is failing on and for the time being comment out each line of the jail that wont start with an # keep doing that until fail2ban starts.

When you have it running read the jail.local file it provides lots of info
Also feel free to ask here and I will try to help with as many questions as I can but I am no expert I am learning myself.

CSF/LFD (the alternative to fail2ban) has pre-configured rules to block dictionary attacks on Postfix and Dovecot (among lots of other things).

Hey AllanIT,

Thanks for all the fail2ban info; since we last spoke, Locutas turned me on to CSF/LFD… and WOW is it ever!!!

(quick HOWTO for CSF/LFD FIREWALL install)

apt-get install libgd-graph-perl

mkdir /root/work/firewall

cd /root/work/firewall

rm -f csf.tgz

wget http://www.configserver.com/free/csf.tgz

tar -xvzf csf.tgz

cd csf

sh install.sh

perl /usr/local/csf/bin/csftest.pl

sh /usr/local/csf/bin/remove_apf_bfd.sh

Webmin -> Webmin -> Webmin Configuration -> Webmin Modules

[x] From local file
/usr/local/csf/csfwebmin.tgz
Install Module

less /etc/csf/readme.txt

vim /etc/csf/csf.conf

NOTE: DO NOT TURN TESTING MODE OFF AND RESTART CSF UNTIL YOU HAVE ADD YOUR LOCALHOST IP AND YOUR REMOTE IP TO csf.allow OR YOU’LL GET LOCKED OUT FOR 3600 SECONDS… IN MY CASE, I NEEDED TO ADD THE VMWARE HOSTONLY GATEWAY…

Webmin -> System -> ConfigServer Security & Firewall -> Quick Allow
or
Webmin -> System -> ConfigServer Security & Firewall -> Firewall Allow IPs

(forgot to say that CSF has a WEBMIN MODULE!!! : )