# sasl login failure: brute force attempt?

## eddieparker

Hello!

Just a quick question here.

In the last few months it seems that some people are trying to force their way into my box.  I've shunted the main attempt at SSH logging in by using a non-standard port; and now it seems like a similar approach might be necessary for my sasl/smtp logins.

I'm wondering if that's the 'best' way of securing/hiding my open ports from hackers, or if I should/could be doing something else.

Just curious how everyone else is handling stuff like this.

Cheers!

-e-

Output from my logs:

```
Oct  1 18:36:56 megatron postfix/smtpd[7671]: warning: SASL authentication failure: All-whitespace username.

Oct  1 18:36:56 megatron postfix/smtpd[7671]: warning: unknown[220.249.207.143]: SASL LOGIN authentication failed: generic failure

Oct  1 18:37:02 megatron saslauthd[4691]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  1 18:37:02 megatron postfix/smtpd[7671]: warning: unknown[220.249.207.143]: SASL LOGIN authentication failed: authentication failure

Oct  2 03:40:53 megatron postfix/smtpd[15444]: warning: unknown[220.249.207.123]: SASL LOGIN authentication failed: bad protocol / cancel

Oct  2 03:41:05 megatron saslauthd[4692]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  2 03:41:05 megatron postfix/smtpd[15444]: warning: unknown[220.249.207.123]: SASL LOGIN authentication failed: authentication failure

Oct  2 03:41:11 megatron saslauthd[4685]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  2 03:41:11 megatron postfix/smtpd[15444]: warning: unknown[220.249.207.123]: SASL LOGIN authentication failed: authentication failure

Oct  2 03:41:14 megatron saslauthd[4686]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  2 03:41:14 megatron postfix/smtpd[15444]: warning: unknown[220.249.207.123]: SASL LOGIN authentication failed: authentication failure

Oct  2 03:41:29 megatron saslauthd[4686]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  2 03:41:29 megatron postfix/smtpd[15444]: warning: unknown[220.249.207.123]: SASL LOGIN authentication failed: authentication failure

Oct  2 03:41:51 megatron saslauthd[4686]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  2 03:41:51 megatron postfix/smtpd[15447]: warning: unknown[220.249.207.123]: SASL LOGIN authentication failed: authentication failure

Oct  2 03:41:05 megatron saslauthd[4692]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  2 03:41:11 megatron saslauthd[4685]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  2 03:41:14 megatron saslauthd[4686]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  2 03:41:29 megatron saslauthd[4686]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

Oct  2 03:41:51 megatron saslauthd[4686]: do_auth         : auth failure: [user=academia] [service=smtp] [realm=www.MyServerDomain.com] [mech=shadow] [reason=Unknown]

```

[/code]

----------

## erik258

another good cantidate for fail2ban - it can monitor just about any protocol and does so in realtime using iptables.  i talked it up quite a bit somewhere on the forums, but check it out for yourself.  it's neat.

----------

