- changed status to open
PROPOSAL: opensmtpd AUTH LOGIN attemps
Issue #112
open
SSHguard 2.3.1 FreeBSD 11.1 opensmtpd
The following are examples from the maillog log that are never caught by sshguard.
opensmtpd is configured to not allow AUTH LOGIN at all at port 25, hence it is not reporting auth failure, but Invalid Command.
sshguard should catch 'AUTH LOGIN.* Invalid Command:' as failed authentication attemp.
Apr 16 20:07:32 xxx smtpd[69101]: smtp-in: Received disconnect from session 96e40d0166ea2904 Apr 16 20:13:43 xxx smtpd[69101]: smtp-in: New session 96e40d04ebbfcdf7 from host 185.234.218.35 [185.234.218.35] Apr 16 20:13:43 xxx smtpd[69101]: smtp-in: Failed command on session 96e40d04ebbfcdf7: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported Apr 16 20:13:43 xxx smtpd[69101]: smtp-in: Received disconnect from session 96e40d04ebbfcdf7 Apr 16 20:19:54 xxx smtpd[69101]: smtp-in: New session 96e40d07d93ce0e8 from host 185.234.218.35 [185.234.218.35] Apr 16 20:19:54 xxx smtpd[69101]: smtp-in: Failed command on session 96e40d07d93ce0e8: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported Apr 16 20:19:54 xxx smtpd[69101]: smtp-in: Received disconnect from session 96e40d07d93ce0e8 Apr 16 20:26:05 xxx smtpd[69101]: smtp-in: New session 96e40d0a0cf6000d from host 185.234.218.35 [185.234.218.35] Apr 16 20:26:05 xxx smtpd[69101]: smtp-in: Failed command on session 96e40d0a0cf6000d: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported Apr 16 20:26:05 xxx smtpd[69101]: smtp-in: Received disconnect from session 96e40d0a0cf6000d
Comments (3)
-
-
Yeah, I noticed it later.
Do I understand correctly that sshguard parses only ONE line at a time?
If so:
- always store previous line in a buffer (and replace on every line)
- when match is found, and we know this is regex from opensmtpd, check if session from current line matches session from previous buffer, and if so extrac IP from previous line.
-
- removed version
Removing version: 2.2 (automated comment)
- Log in to comment
This will be a bit tricky to handle since OpenSMTPD is reporting a session ID with that error instead of the address of the attacker.