
Interesting find in the logs: SMTP authentication brute force.
Dec 20 20:57:22 gosper saslauthd[1616]: : auth failure: [user=iknidcam1974] [service=smtp] [realm=camp-wireless.org] [mech=pam] [reason=PAM auth error]
Dec 20 20:57:26 gosper saslauthd[1613]: : auth failure: [user=iknidcam1974] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 20 21:54:42 gosper saslauthd[1615]: : auth failure: [user=iknikieh] [service=smtp] [realm=camp-wireless.org] [mech=pam] [reason=PAM auth error]
Dec 20 21:54:47 gosper saslauthd[1617]: : auth failure: [user=iknikieh] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 20 21:57:14 gosper saslauthd[1614]: : auth failure: [user=iknikieh] [service=smtp] [realm=camp-wireless.org] [mech=pam] [reason=PAM auth error]
Dec 20 21:57:23 gosper saslauthd[1615]: : auth failure: [user=iknikieh] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
With lots more for different names. The last one is probably this session:
Dec 20 21:57:16 gosper sm-mta[15854]: STARTTLS=server, relay=[5.188.206.203], version=TLSv1.2, verify=NOT, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Dec 20 21:57:24 gosper sm-mta[15854]: 0BKKvEuN015854: [5.188.206.203] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-SSL
Due to the fact that they abort the session when they can't log in the IP is
seen as annoying by fail2ban and added to the deny list. But that list grows
(suggesting a distributed attack) and is at this moment at 142 currently
blocked hosts.
Update:
Fun part:
10 minutes after I wrote the above the attacks stopped. Hi there! 👋👋
Found one of the really stupid entries:
Dec 20 22:02:41 gosper saslauthd[1613]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Dec 20 22:02:43 gosper saslauthd[1613]: : auth failure: [user=mailer-daemon] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Probably from
Dec 20 22:02:40 gosper sm-mta[17462]: STARTTLS=server, relay=ip-113-67.4vendeta.com [78.128.113.67] (may be forged), version=TLSv1.2, verify=NOT, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Dec 20 22:02:43 gosper sm-mta[17462]: 0BKL2dHK017462: ip-113-67.4vendeta.com [78.128.113.67] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-SSL