Hi everyone,
currently a few persons try to hack into the system via smtp (running sendmail)
A line within the Logfiles looks like this:
Aug 21 14:05:48 marcel sendmail-in[14632]: m7LC5giG014632: [125.64.24.39]: possible SMTP attack: command=AUTH, count=3
The field "m7LC5giG014632" changes all the time, as this is the message-id..
Is there a pattern for this?
Would be great
Thanks in advance..
Marcel
Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Copyright © 1995-2016 Avinash Chopde, avinash@aczoom.com
here it is
This pattern will likely work (not tested). Note that since sendmail does not run under TCP_WRAPPERS, so will need to use the --ipblock option to block IP traffic from the host.
Example line: # Aug 21 14:05:48 marcel sendmail-in[14632]: m7LC5giG014632: [10.64.24.39]: possible SMTP attack: command=AUTH, count=3 Pattern used: "sendmailin-Attack": r'{LOG_PREFIX{sendmail-in}}: \[{HOST_IP}]: possible SMTP attack: command=',