Looking For Beginner/Mediocre Help

William A. Fink bill at billfink.com
Mon Jan 20 21:59:31 UTC 2014 

I hope I'm not double-posting, posting in a list I'm not supposed to, but it
seems (to me, anyway) a great place to start. Seems it never fails, someone
comes back and complains, this is the wrong list. (No matter which list I've
posted to in the past.)

I've these log entries each and every single day in my security logs:
(needless to say, there are quite a few variations they attempt to use for
username, seems it's getting worse every day.) I've ALL of China/Korea
blocked, might I add. There's a guy who posts the CIDR addresses for/from
China that's ALL in my black-hole routing table. I recognize that can only
go so far, but it did indeed help for a good while.

Any other solution(?) that anyone could help me with here? I'm simply
looking for a simple way to stop these and/or determine where they're coming
from. (No other log shows where they originate from.)

I'm not even certain if I'm USING SASLAUTHD, so is there a way I can
determine where these scripts are coming from so I can easily add their IP
to the black-hole route?

Thanks SO much in advance, and if I posted in the wrong place, please accept
my sincerest apologies - even a one liner where to start to figure out where
these are originating from would be a great help!

Jan 12 00:02:27 rmx saslauthd[978]: do_auth         : auth failure:
[user=ups] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 00:16:00 rmx saslauthd[980]: do_auth         : auth failure:
[user=ups] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 00:29:36 rmx saslauthd[981]: do_auth         : auth failure:
[user=fedex] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 00:35:03 rmx saslauthd[966]: do_auth         : auth failure:
[user=student] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 00:43:07 rmx saslauthd[979]: do_auth         : auth failure:
[user=fedex] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 00:56:47 rmx saslauthd[978]: do_auth         : auth failure:
[user=phone] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 01:10:23 rmx saslauthd[980]: do_auth         : auth failure:
[user=phone] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 01:24:04 rmx saslauthd[981]: do_auth         : auth failure:
[user=noreply] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 01:24:56 rmx saslauthd[966]: do_auth         : auth failure:
[user=support] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 01:37:48 rmx saslauthd[979]: do_auth         : auth failure:
[user=noreply] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 12 01:51:20 rmx saslauthd[978]: do_auth         : auth failure:
[user=ttest] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

More information about the freebsd-hackers mailing list