Had (another) hacker trying to abuse sendmail auth today. The attempt was noticed by
This is a terrible security hole.
Questions:
* Is there a way to get
* Should
* Should restarting
What is the right way to deal with this problem?
sshguard
and the ipaddress blocked using a PF
table. BUT the remote end never dropped the connection and the pf rule only triggers on a NEW connection so the hacker was able to continue sending auth trials for several hours before I noticed. I'd restarted sendmail
, but service sendmail restart
doesn't kill existing MTA connections (which is not at all what I expected). I manually killed the offending process and now PF
is doing its work.
Code:
root 5722 0.0 0.1 47648 2760 ?? I 2:54PM 0:00.12 sendmail: s99Lsb2G005722 static-153-130-73-69.nocdirect.com [69.73.130.153]: AUTH (sendmail)
Questions:
* Is there a way to get
sendmail
to close the MTA after an unsuccessful AUTH attempt? * Should
sshguard
tell PF
to terminate any existing connections when a block is submitted?* Should restarting
sendmail
also kill any existing MTA sessions?What is the right way to deal with this problem?