• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Failed Mail Authentication

E

Eric Pretorious

Regular Pleskian
Lately I've been spending a lot of time grok'ing the Postfix logfile (i.e., /usr/local/psa/var/log/maillog) and I've been noticing a lot of authentication failures (and even one successful break-in).

Most entries are just a simple pair of log entries that includes the source IP address and then the details of the mailbox name, like this one:
Code: 
Aug 12 08:08:18 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:20 www plesk_saslauthd[4434]: failed mail authenticatication attempt for user 'media@example.com' (password len=6)

But others span dozens of entries over a fairly large timespan before providing any details about the mailbox name, like this one:
Code: 
Aug 12 08:08:30 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:31 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:35 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:39 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:41 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:43 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:46 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:49 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:51 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:55 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:58 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:08:59 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:00 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:05 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:06 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:09 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:14 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:16 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:18 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:20 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:22 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:25 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:28 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:28 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:30 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:31 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:34 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:35 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:39 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:42 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:45 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:45 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:46 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:49 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:51 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:54 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:55 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:56 www postfix/smtpd[4805]: warning: unknown[162.255.86.250]: SASL LOGIN authentication failed: authentication failure
Aug 12 08:09:59 www plesk_saslauthd[4434]: failed mail authenticatication attempt for user 'media@example.com' (password len=6)

How are these entries generated? i.e., Why mailbox name given right away some times (like the first example) while - other times - the account name isn't displayed for several seconds - almost ninety seconds in the second example?
 
Eric Pretorious said:
Lately I've been spending a lot of time grok'ing the Postfix logfile (i.e., /usr/local/psa/var/log/maillog) and I've been noticing a lot of authentication failures (and even one successful break-in).

...How are these entries generated? i.e., Why are the mailbox names given right away sometimes (like the first example) while - other times - the account name isn't displayed for several seconds - almost ninety seconds in the second example?
Click to expand...

I guess that what I'm driving at here is: How can I detect brute force attacks against Postfix and stop the ongoing attacks? If I understood how the messages are logged, I might be able to write a simple script that adds a rule to iptables to stop the attacks.
 
Hi,

A very popular denial of service attack involves a cracker sending many (possibly forged) SYN packets to your server, but never completing the TCP three-way handshake. This quickly uses up slots in the kernel's half-open queue, preventing legitimate connections from succeeding. Since a connection does not need to be completed, no resources need to be used on the attacking machine; therefore, this is easy to perform and maintain.

If the "tcp_syncookies" variable is set (only available if your kernel was compiled with CONFIG_SYNCOOKIES), then the kernel handles TCP SYN packets normally until the queue is full, at which point the SYN cookie functionality kicks in.

SYN cookies do not work by using a SYN queue. Instead, the kernel will reply to any SYN packet with a SYN|ACK normally, but it will present a specially-crafted TCP sequence number that encodes the source and destination IP address, as well as the port number and the time the packet was sent. An attacker performing the SYN flood would never have gotten this packet at all if they're spoofing, so they wouldn't respond. A legitimate connection attempt would send the third packet of the three-way handshake, which includes this sequence number, and the server can verify that it must be in response to a valid SYN cookie and allows the connection, even though there is no corresponding entry in the SYN queue.

Enabling SYN cookies is a very simple way to defeat SYN flood attacks, while using only a bit more CPU time for the cookie creation and verification. Since the alternative is to reject all incoming connections, enabling SYN cookies is the obvious choice.

tcp_syncookies can be enabled with the following:

# /sbin/sysctl -w net.ipv4.tcp_syncookies=1

or

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Thank you,
 
You must log in or register to reply here.

Similar threads

wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
2K
mizar
mizar
N
Issue Problem: SASL PLAIN authentication failed
Replies
3
Views
752
Vladimir C.
V
wakabayashi
Question SMTP Firewall - is it possible to block brutforce attacks?
Replies
3
Views
635
Vladimir C.
V
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
2K
Peter Debik
P
J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
2K
josemanuuxd
J
Back
Top