SMTP and PAM Auth

Here is my scenario - I've been running FreeBSD for many (many) years. (Please don't ask.) I've a box that's been running 9.3 for YEARS and it's "The" most reliable system in my arsenal of servers.

It's been a couple of years (to say the least) that I've written scripts, (I retired) but this is a reach-out for help and hopefully works.

My logs have been FILLED with:
Code:
Jul 26 12:59:01 rmx saslauthd[638]: do_auth         : auth failure: [user=contact] [service=smtp] [realm=mydomain.com] [mech=pam] [reason=PAM auth error]
...CONSTANTLY!

I let it go mostly because my saslauthd (pam) doesn't work, so I thought they'd eventually stop their script(s), but this has been going on for far too long and my syslogs are filled every day.

I'm hoping for help with an easy script that could be written to add their IP to my blackhole routes? Any suggestions? Thank you!
 
FreeBSD 9.3 has been end-of-life since December 2016 and is not supported any more.

Topics about unsupported FreeBSD versions

My logs have been FILLED with
Sounds like you're getting hit by one of the many, many bots that are scanning the internet looking for things to exploit. You really, really shouldn't be running outdated software and have it accessible from the internet.
 
FreeBSD 9.3 has been end-of-life since December 2016 and is not supported any more.

Topics about unsupported FreeBSD versions


Sounds like you're getting hit by one of the many, many bots that are scanning the internet looking for things to exploit. You really, really shouldn't be running outdated software and have it accessible from the internet.
Thanks for the advice...and I agree with you. That wouldn't stop that/their attempts and it'd still show up in a security log. I would like a script that would put them in my blackhole routes. My "outdated" box has an uptime of a few years, I've got it pretty well locked down and like most, am skeptical to change what's been working SO WELL for so many years. I trust you understand.
 
Uptimes are overrated. It just means you haven't been updating. Not something to brag about.


I trust you understand it's a really, really bad idea to run old and outdated software on the internet in this day and age.
Why thank you for the help I was hoping for. Should I upgrade to Windows Server 2022?
 
Thanks for the advice...and I agree with you. That wouldn't stop that/their attempts and it'd still show up in a security log. I would like a script that would put them in my blackhole routes. My "outdated" box has an uptime of a few years, I've got it pretty well locked down and like most, am skeptical to change what's been working SO WELL for so many years. I trust you understand.
You are running here a MTA connected to the internet according to your topic. MTAs should be only run by people who know what they are doing, and always using the up to date version being available, because otherwise your machine might turn into a SPAM relay, damaging trust into your domain/host IP. And if you are dependent on your email working well then you will be in a lot of trouble clearing things up, getting removed from RBLs and so on.

Obviously you don't know what you are doing, because otherwise you would be able to deal with that type of common scan attacks by your own. fail2ban comes into mind. Furthermore you would always keep on top of that your system always up to date by yourself.

And on top of that you've got the wrong priorities, because you do value your uptime counter higher than operating your host in a safe manner.

So I totally agree with SirDice - upgrade your box and get your priorities right, because otherwise you will be sooner or later in a world of hurt due to your own actions, or lack of.
 
You are running here a MTA connected to the internet according to your topic. MTAs should be only run by people who know what they are doing, and always using the up to date version being available, because otherwise your machine might turn into a SPAM relay, damaging trust into your domain/host IP. And if you are dependent on your email working well then you will be in a lot of trouble clearing things up, getting removed from RBLs and so on.

Obviously you don't know what you are doing, because otherwise you would be able to deal with that type of common scan attacks by your own. fail2ban comes into mind. Furthermore you would always keep on top of that your system always up to date by yourself.

And on top of that you've got the wrong priorities, because you do value your uptime counter higher than operating your host in a safe manner.

So I totally agree with SirDice - upgrade your box and get your priorities right, because otherwise you will be sooner or later in a world of hurt due to your own actions, or lack of.
I appreciate all your help, I think I just answered my own question. I appreciate your input.
 
I appreciate all your help, I think I just answered my own question. I appreciate your input.
By the way, I'm a network (and Unix) engineer. Again, your input....errrr, opinion versus help
is appreciated. (I decided to simply block port 25, if that helps you. Smirk.)
 
What happened to sarcasm? (Block port 25 is what I realized after reading your helpful comment. Thanks so much for your input. Grin.)
 
check "fail2ban" it will help you to integrate log monitoring with firewall and reduce those fail attempts.
"The Best" advice yet, thank you. I will look into this. (My original question/answer - I sort-of answered myself. Block port 25 with a utility or 'iperf' sort of fw rule.) Thank you so much!
 
By the way, I'm a network (and Unix) engineer.
There are bad and good engineers in every profession.

Anyway, maybe look at your own threads from six years ago, when 9.3 was actually still supported.
 
There are bad and good engineers in every profession.

Anyway, maybe look at your own threads from six years ago, when 9.3 was actually still supported.
Good Lord, _six_ years ago... I cannot imagine. Thank you for your opinion and input.
 
Here is my scenario - I've been running FreeBSD for many (many) years. (Please don't ask.) I've a box that's been running 9.3 for YEARS and it's "The" most reliable system in my arsenal of servers.

It's been a couple of years (to say the least) that I've written scripts, (I retired) but this is a reach-out for help and hopefully works.

My logs have been FILLED with:
Code:
Jul 26 12:59:01 rmx saslauthd[638]: do_auth         : auth failure: [user=contact] [service=smtp] [realm=mydomain.com] [mech=pam] [reason=PAM auth error]
...CONSTANTLY!

I let it go mostly because my saslauthd (pam) doesn't work, so I thought they'd eventually stop their script(s), but this has been going on for far too long and my syslogs are filled every day.

I'm hoping for help with an easy script that could be written to add their IP to my blackhole routes? Any suggestions? Thank you!
Thanks for all of your replies, it seems I'm getting more opinions than help to my initial question. Please stop, my original question I answered myself, BLOCK port 25 is the answer. I appreciate all the input...thank you!
 
Back
Top