On Mon, Apr 4, 2022 at 9:06 AM Joe Pfeiffer <pfeif...@cs.nmsu.edu> wrote:
> This isn't really debian-specific, but I don't know a better place to > ask... recently, I've been having servers make a large number of > attempts to access my mail host using what appear to be random strings > as usernames -- it looks like this: > > Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): check pass; > user unknown > Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= > Apr 4 03:04:33 snowball saslauthd[1179]: : auth failure: > [user=1b391vovbh....@pfeifferfamily.net] [service=] [realm=] [mech=pam] > [reason=PAM auth error] > > They all have the same form: <something random>.f...@pfeifferfamily.net > > I'm trying to understand the point; it's not like there's any chance any > of those usernames will be valid. This isn't they usual attempts using > usernames like root, admin, test1, scan... those I understand. > So, anybody have any ideas what's up here? > That's "normal". Just looking for a response that doesn't return "user unknown", then they've got a valid username they can attempt password attacks on. So here's the thing: What parts of the internet are you expecting logins from, to your mail server? If the answer is none, then you should be using kernel packet filtering to prevent those incoming messages from reaching your mail server's software.
