PROPOSAL: opensmtpd AUTH LOGIN attemps

Issue #112 open
Former user created an issue

SSHguard 2.3.1 FreeBSD 11.1 opensmtpd

The following are examples from the maillog log that are never caught by sshguard.

opensmtpd is configured to not allow AUTH LOGIN at all at port 25, hence it is not reporting auth failure, but Invalid Command.

sshguard should catch 'AUTH LOGIN.* Invalid Command:' as failed authentication attemp.

Apr 16 20:07:32 xxx smtpd[69101]: smtp-in: Received disconnect from session 96e40d0166ea2904
Apr 16 20:13:43 xxx smtpd[69101]: smtp-in: New session 96e40d04ebbfcdf7 from host 185.234.218.35 [185.234.218.35]
Apr 16 20:13:43 xxx smtpd[69101]: smtp-in: Failed command on session 96e40d04ebbfcdf7: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported
Apr 16 20:13:43 xxx smtpd[69101]: smtp-in: Received disconnect from session 96e40d04ebbfcdf7
Apr 16 20:19:54 xxx smtpd[69101]: smtp-in: New session 96e40d07d93ce0e8 from host 185.234.218.35 [185.234.218.35]
Apr 16 20:19:54 xxx smtpd[69101]: smtp-in: Failed command on session 96e40d07d93ce0e8: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported
Apr 16 20:19:54 xxx smtpd[69101]: smtp-in: Received disconnect from session 96e40d07d93ce0e8
Apr 16 20:26:05 xxx smtpd[69101]: smtp-in: New session 96e40d0a0cf6000d from host 185.234.218.35 [185.234.218.35]
Apr 16 20:26:05 xxx smtpd[69101]: smtp-in: Failed command on session 96e40d0a0cf6000d: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported
Apr 16 20:26:05 xxx smtpd[69101]: smtp-in: Received disconnect from session 96e40d0a0cf6000d

Comments (3)

  1. Kevin Zheng
    • changed status to open

    This will be a bit tricky to handle since OpenSMTPD is reporting a session ID with that error instead of the address of the attacker.

  2. Rado Sław

    Yeah, I noticed it later.

    Do I understand correctly that sshguard parses only ONE line at a time?

    If so:

    1. always store previous line in a buffer (and replace on every line)
    2. when match is found, and we know this is regex from opensmtpd, check if session from current line matches session from previous buffer, and if so extrac IP from previous line.
  3. Log in to comment