From owner-freebsd-hackers@FreeBSD.ORG Mon Jan 20 21:59:31 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 087E11F6 for ; Mon, 20 Jan 2014 21:59:31 +0000 (UTC) Received: from rmx.billfink.com (rmx.billfink.com [98.175.222.162]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 95D571FD6 for ; Mon, 20 Jan 2014 21:59:30 +0000 (UTC) Received: from BillsPC (wsip-174-79-172-9.ri.ri.cox.net [174.79.172.9]) (authenticated bits=0) by rmx.billfink.com (8.14.4/8.14.3) with ESMTP id s0KLxTE5039423 for ; Mon, 20 Jan 2014 16:59:29 -0500 (EST) (envelope-from bill@billfink.com) From: "William A. Fink" To: Subject: Looking For Beginner/Mediocre Help Date: Mon, 20 Jan 2014 16:59:11 -0500 Message-ID: <06be01cf162a$dd337bd0$979a7370$@billfink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 15.0 Thread-Index: Ac8WKl6Av0/UiVZdT4CetOQCE7aMTQ== Content-Language: en-us X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jan 2014 21:59:31 -0000 I hope I'm not double-posting, posting in a list I'm not supposed to, but it seems (to me, anyway) a great place to start. Seems it never fails, someone comes back and complains, this is the wrong list. (No matter which list I've posted to in the past.) I've these log entries each and every single day in my security logs: (needless to say, there are quite a few variations they attempt to use for username, seems it's getting worse every day.) I've ALL of China/Korea blocked, might I add. There's a guy who posts the CIDR addresses for/from China that's ALL in my black-hole routing table. I recognize that can only go so far, but it did indeed help for a good while. Any other solution(?) that anyone could help me with here? I'm simply looking for a simple way to stop these and/or determine where they're coming from. (No other log shows where they originate from.) I'm not even certain if I'm USING SASLAUTHD, so is there a way I can determine where these scripts are coming from so I can easily add their IP to the black-hole route? Thanks SO much in advance, and if I posted in the wrong place, please accept my sincerest apologies - even a one liner where to start to figure out where these are originating from would be a great help! Jan 12 00:02:27 rmx saslauthd[978]: do_auth : auth failure: [user=ups] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 00:16:00 rmx saslauthd[980]: do_auth : auth failure: [user=ups] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 00:29:36 rmx saslauthd[981]: do_auth : auth failure: [user=fedex] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 00:35:03 rmx saslauthd[966]: do_auth : auth failure: [user=student] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 00:43:07 rmx saslauthd[979]: do_auth : auth failure: [user=fedex] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 00:56:47 rmx saslauthd[978]: do_auth : auth failure: [user=phone] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 01:10:23 rmx saslauthd[980]: do_auth : auth failure: [user=phone] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 01:24:04 rmx saslauthd[981]: do_auth : auth failure: [user=noreply] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 01:24:56 rmx saslauthd[966]: do_auth : auth failure: [user=support] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 01:37:48 rmx saslauthd[979]: do_auth : auth failure: [user=noreply] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Jan 12 01:51:20 rmx saslauthd[978]: do_auth : auth failure: [user=ttest] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]