Re: random usernames in attempts to break in to my machine?

To: debian-user@lists.debian.org
Subject: Re: random usernames in attempts to break in to my machine?
From: Joe Pfeiffer <pfeiffer@cs.nmsu.edu>
Date: Mon, 04 Apr 2022 11:08:40 -0600
Message-id: <[🔎] 1blewkzsh3.fsf@pfeifferfamily.net>
References: <[🔎] 1bsfqtynj4.fsf@pfeifferfamily.net> <[🔎] CAJmb-Ykm9WRuVQqrV5v-SNHSXo=pOuag4PxMgATTx8P3N7Q_dA@mail.gmail.com>

Nicholas Geovanis <nickgeovanis@gmail.com> writes:

> On Mon, Apr 4, 2022 at 9:06 AM Joe Pfeiffer <pfeiffer@cs.nmsu.edu> wrote:
>
>  This isn't really debian-specific, but I don't know a better place to
>  ask...  recently, I've been having servers make a large number of
>  attempts to access my mail host using what appear to be random strings
>  as usernames -- it looks like this:
>
>  Apr  4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): check pass; user unknown
>  Apr  4 03:04:30 snowball saslauthd[1179]: pam_unix(:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>  Apr  4 03:04:33 snowball saslauthd[1179]:                 : auth failure: [user=1b391vovbh.fsf@pfeifferfamily.net] [service=] [realm=] [mech=pam] [reason=PAM auth error]
>
>  They all have the same form: <something random>.fsf@pfeifferfamily.net
>
>  I'm trying to understand the point; it's not like there's any chance any
>  of those usernames will be valid.  This isn't they usual attempts using
>  usernames like root, admin, test1, scan...  those I understand.
>  So, anybody have any ideas what's up here?
>
> That's "normal". Just looking for a response that doesn't return "user unknown", then they've got a valid 
> username they can attempt password attacks on.

That's the thing, and why it doesn't look like a dictionary attack.  It
isn't reasonable words or combinations of reasonable words.  Using all
the strings including things like "1b391vovbh" would be looking at many,
many usernames than necessary, and ending all of them with ".fsf" pretty
much guarantees they'll never get a hit.  The idea that these are
message IDs that got mistaken for usernames when something got scraped
looks more likely, but they don't really look like message IDs either
(the message IDs I see are much longer, and include the FQDN of the
source host).

> So here's the thing: What parts of the internet are you expecting logins from, to your mail server?
> If the answer is none, then you should be using kernel packet filtering to prevent those incoming
> messages from reaching your mail server's software. 

I could reasonably see an email come in from anywhere.

I've now put fail2ban on the case...  I'm still curious what's
happening.

Reply to:

Follow-Ups:
- Re: random usernames in attempts to break in to my machine?
  - From: Nicholas Geovanis <nickgeovanis@gmail.com>

References:
- random usernames in attempts to break in to my machine?
  - From: Joe Pfeiffer <pfeiffer@cs.nmsu.edu>
- Re: random usernames in attempts to break in to my machine?
  - From: Nicholas Geovanis <nickgeovanis@gmail.com>

Prev by Date: Re: password
Next by Date: Re: random usernames in attempts to break in to my machine?
Previous by thread: Re: random usernames in attempts to break in to my machine?
Next by thread: Re: random usernames in attempts to break in to my machine?
Index(es):
- Date
- Thread