On Mon, Apr 04, 2022 at 07:40:47AM -0600, Joe Pfeiffer wrote: > This isn't really debian-specific, but I don't know a better place to > ask... recently, I've been having servers make a large number of > attempts to access my mail host using what appear to be random strings > as usernames -- it looks like this: > > Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): check pass; user unknown > Apr 4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > Apr 4 03:04:33 snowball saslauthd[1179]: : auth failure: [user=1b391vovbh.fsf@pfeifferfamily.net] [service=] [realm=] [mech=pam] [reason=PAM auth error] > > They all have the same form: <something random>.fsf@pfeifferfamily.net > > I'm trying to understand the point; it's not like there's any chance any > of those usernames will be valid. This isn't they usual attempts using > usernames like root, admin, test1, scan... those I understand. > > So, anybody have any ideas what's up here? This is normal dictionary attack. I've a host up out there, and it looks similar. Here's what I see: tomas@mail:~$ sudo grep user /var/log/auth.log | sed -ne 's/^[^I]*Invalid user \([^ ]*\).*$/\1/ p' | sort -u | wc -l 6672 So they tried 6672 different names (for roughly 1.5 days worth of auth.log). The list starts like so: a aadeoti aadil aagusti aakanksha aalakalabi aalston aamir aan aanaik aaron aaronkilik aaronli aaront aaronzhong aas aasdf ... Probably some dictionary grabbed from "out there". Perhaps there's an NPM module for it ;-D I'll have a look whether the source iPs repeat enough that a fail2ban could be worth the trouble... Cheers -- t
Attachment:
signature.asc
Description: PGP signature