csf/lfd parameter that prevent smtp attacks?

Question

I have a 4~5MB logwatch like this every day! someone like to hack my smtp:

....
--------------------- sasl auth daemon Begin ------------------------ 


 SASL Authentications failed 3965 Time(s)
 Service smtp (pam) - 3965 Time(s):
    Realm  - 3959 Time(s):
       User: account - PAM auth error - 346 Time(s):
       User: admin - PAM auth error - 346 Time(s):
       User: admin1 - PAM auth error - 147 Time(s):
       User: chris - PAM auth error - 346 Time(s):
       User: contact - PAM auth error - 6 Time(s):
       User: fax - PAM auth error - 346 Time(s):
       User: info1 - PAM auth error - 346 Time(s):
       User: master - PAM auth error - 346 Time(s):
       User: noname - PAM auth error - 346 Time(s):
       User: pamela - PAM auth error - 346 Time(s):
       User: scanner - PAM auth error - 346 Time(s):
       User: test1 - PAM auth error - 346 Time(s):
       User: user1 - PAM auth error - 346 Time(s):
    Realm xxxxx.com - 6 Time(s):
       User: contact@xxxxxxx.com - PAM auth error - 6 Time(s):


 **Unmatched Entries**

 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
 pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
 pam_unix(smtp:auth): check pass; user unknown
.....

what parameter should I change to prevent this brute force on smtp? I think I should change a number but do not know which one.

score 0 · Answer 1 · answered Feb 02 '13 at 17:33

0

The canonical answer to "how to deal with brute force attacks" like these is to use fail2ban. If you're using some sort of web hosting control panel, you may find options related to fail2ban already there.

answered Feb 02 '13 at 17:33

Michael Hampton

237,123
42
477
940

so lfd is useless in this case? – exim Feb 03 '13 at 08:42

csf/lfd parameter that prevent smtp attacks?

1 Answers1